Skip to main content

CVE-2022-28321: n/a in n/a

Critical
VulnerabilityCVE-2022-28321cvecve-2022-28321
Published: Mon Sep 19 2022 (09/19/2022, 21:10:22 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

AI-Powered Analysis

AILast updated: 07/07/2025, 23:24:59 UTC

Technical Analysis

CVE-2022-28321 is a critical vulnerability affecting the Linux-PAM package versions prior to 1.5.2-6.1 specifically in the openSUSE Tumbleweed and openSUSE Factory distributions. The vulnerability resides in the pam_access.so module, which is responsible for restricting user logins based on access control rules. The flaw arises because pam_access.so does not correctly enforce restrictions when a user attempts to authenticate via SSH from an IP address that cannot be resolved through DNS. Under these conditions, the module fails to deny access to users who should be blocked, effectively allowing an authentication bypass. This means that a user who is explicitly denied access by the system's access control policies can still gain SSH access if their connecting IP address lacks a resolvable DNS entry. The vulnerability is notable for requiring no privileges or user interaction to exploit, and it impacts confidentiality, integrity, and availability of the affected systems. The issue is limited in scope to openSUSE Tumbleweed and Factory distributions and does not affect the upstream Linux-PAM project or other Linux distributions. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation over the network without authentication and the severe impact on system security. The underlying weakness is classified under CWE-287 (Improper Authentication). No known public exploits have been reported in the wild as of the published date, but the critical nature of the flaw and its presence in rolling-release distributions used by developers and enterprises make it a significant threat. The vulnerability was published on September 19, 2022, and users of affected openSUSE versions should prioritize patching to Linux-PAM 1.5.2-6.1 or later to remediate this issue.

Potential Impact

For European organizations using openSUSE Tumbleweed or Factory, this vulnerability poses a severe risk. Successful exploitation allows unauthorized SSH access, potentially enabling attackers to gain full control over affected systems. This can lead to data breaches, unauthorized data modification, and disruption of services. Since SSH is a common remote administration protocol, the bypass undermines fundamental access controls, increasing the risk of lateral movement within networks and persistence by attackers. Organizations relying on openSUSE for critical infrastructure, development environments, or production servers may face operational disruptions and compliance violations, especially under GDPR regulations concerning unauthorized access and data protection. The vulnerability's impact is heightened in environments where DNS resolution is unreliable or intentionally manipulated, as attackers can exploit non-resolvable IP addresses to bypass restrictions. Given the critical severity and network-exploitable nature, European enterprises should treat this vulnerability as a high-priority security incident.

Mitigation Recommendations

1. Immediate upgrade of the Linux-PAM package to version 1.5.2-6.1 or later on all openSUSE Tumbleweed and Factory systems is the primary mitigation step. 2. Review and tighten SSH access control policies, ensuring that IP-based restrictions do not rely solely on DNS resolution. 3. Implement network-level controls such as firewall rules to restrict SSH access to trusted IP ranges, reducing exposure to untrusted sources. 4. Monitor SSH login attempts and system logs for unusual access patterns, especially from IP addresses that fail DNS resolution. 5. Consider deploying multi-factor authentication (MFA) for SSH access to add an additional layer of security beyond PAM controls. 6. For environments where patching immediately is not feasible, temporarily disable pam_access.so or configure it to avoid reliance on DNS resolution for access decisions, if possible. 7. Educate system administrators about the risks of DNS-dependent access controls and encourage validation of access control modules after updates. 8. Regularly audit and update DNS infrastructure to minimize unresolved IP addresses that could be exploited.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-04-01T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683880c6182aa0cae283969b

Added to database: 5/29/2025, 3:44:06 PM

Last enriched: 7/7/2025, 11:24:59 PM

Last updated: 7/26/2025, 1:42:36 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats