CVE-2022-28321 is a critical vulnerability affecting the Linux-PAM package versions prior to 1.5.2-6.1 specifically in the openSUSE Tumbleweed and openSUSE Factory distributions. The vulnerability resides in the pam_access.so module, which is responsible for restricting user logins based on access control rules. The flaw arises because pam_access.so does not correctly enforce restrictions when a user attempts to authenticate via SSH from an IP address that cannot be resolved through DNS. Under these conditions, the module fails to deny access to users who should be blocked, effectively allowing an authentication bypass. This means that a user who is explicitly denied access by the system's access control policies can still gain SSH access if their connecting IP address lacks a resolvable DNS entry. The vulnerability is notable for requiring no privileges or user interaction to exploit, and it impacts confidentiality, integrity, and availability of the affected systems. The issue is limited in scope to openSUSE Tumbleweed and Factory distributions and does not affect the upstream Linux-PAM project or other Linux distributions. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation over the network without authentication and the severe impact on system security. The underlying weakness is classified under CWE-287 (Improper Authentication). No known public exploits have been reported in the wild as of the published date, but the critical nature of the flaw and its presence in rolling-release distributions used by developers and enterprises make it a significant threat. The vulnerability was published on September 19, 2022, and users of affected openSUSE versions should prioritize patching to Linux-PAM 1.5.2-6.1 or later to remediate this issue.

For European organizations using openSUSE Tumbleweed or Factory, this vulnerability poses a severe risk. Successful exploitation allows unauthorized SSH access, potentially enabling attackers to gain full control over affected systems. This can lead to data breaches, unauthorized data modification, and disruption of services. Since SSH is a common remote administration protocol, the bypass undermines fundamental access controls, increasing the risk of lateral movement within networks and persistence by attackers. Organizations relying on openSUSE for critical infrastructure, development environments, or production servers may face operational disruptions and compliance violations, especially under GDPR regulations concerning unauthorized access and data protection. The vulnerability's impact is heightened in environments where DNS resolution is unreliable or intentionally manipulated, as attackers can exploit non-resolvable IP addresses to bypass restrictions. Given the critical severity and network-exploitable nature, European enterprises should treat this vulnerability as a high-priority security incident.

1. Immediate upgrade of the Linux-PAM package to version 1.5.2-6.1 or later on all openSUSE Tumbleweed and Factory systems is the primary mitigation step. 2. Review and tighten SSH access control policies, ensuring that IP-based restrictions do not rely solely on DNS resolution. 3. Implement network-level controls such as firewall rules to restrict SSH access to trusted IP ranges, reducing exposure to untrusted sources. 4. Monitor SSH login attempts and system logs for unusual access patterns, especially from IP addresses that fail DNS resolution. 5. Consider deploying multi-factor authentication (MFA) for SSH access to add an additional layer of security beyond PAM controls. 6. For environments where patching immediately is not feasible, temporarily disable pam_access.so or configure it to avoid reliance on DNS resolution for access decisions, if possible. 7. Educate system administrators about the risks of DNS-dependent access controls and encourage validation of access control modules after updates. 8. Regularly audit and update DNS infrastructure to minimize unresolved IP addresses that could be exploited.