CVE-2017-20002 in shadow
Summary
by MITRE • 03/17/2021
The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/02/2021
The vulnerability described in CVE-2017-20002 represents a critical security flaw in the Debian shadow package that fundamentally undermines the integrity of local authentication mechanisms. This issue specifically affects versions prior to 1:4.5-1 and stems from an incorrect configuration in the /etc/securetty file where pts/0 and pts/1 are erroneously classified as physical terminals. The shadow package is responsible for managing user authentication and password handling within Unix-like systems, making this flaw particularly dangerous as it directly impacts the core authentication infrastructure. The misconfiguration creates a pathway for unauthorized privilege escalation by allowing local users to bypass normal authentication restrictions that should prevent login access from non-physical terminal connections.
The technical implementation of this vulnerability exploits the fundamental design principle of securetty files which are intended to define which terminal devices are considered physically secure for root login access. When pts/0 and pts/1 are incorrectly listed as physical terminals, the system's PAM (Pluggable Authentication Modules) configuration becomes ineffective because it can no longer properly distinguish between legitimate physical access and remote connections such as SSH sessions. This misconfiguration particularly affects virtualized environments where pseudo-terminal devices are commonly used, and the vulnerability becomes even more severe when combined with default blank root passwords in automatically generated virtual machines. The flaw operates at the system-level authentication controls and directly violates security policies that assume physical terminal access restrictions.
The operational impact of this vulnerability extends far beyond simple privilege escalation, creating a significant attack surface for local users who can exploit the misconfigured authentication controls to gain unauthorized access to password-less accounts. This vulnerability is particularly dangerous in cloud and virtualized environments where automated systems may provision machines with default configurations including blank root passwords, making the attack vector extremely accessible. The bypass of PAM's nullok_secure configuration means that even systems properly configured to prevent null password logins can be compromised, as the underlying terminal device classification overrides these security measures. This creates a cascading effect where multiple security controls fail simultaneously, leaving systems vulnerable to unauthorized access and potential data compromise.
The security implications of this vulnerability align with CWE-284 (Improper Access Control) and represent a failure in privilege separation controls that should prevent unauthorized access to system resources. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques that exploit weak authentication controls and misconfigured system components. The attack requires minimal sophistication as it leverages existing system configurations rather than requiring complex exploitation techniques, making it particularly dangerous for environments where default configurations are not properly reviewed. Organizations using virtualized infrastructure or automated provisioning systems are especially vulnerable, as these environments often rely on default configurations that may include the problematic pts/0 and pts/1 terminal entries. The remediation involves updating the shadow package to version 1:4.5-1 or later, which correctly removes these pseudo-terminals from the securetty file, restoring proper authentication controls and preventing unauthorized privilege escalation through local access methods.
This vulnerability demonstrates the critical importance of proper system hardening and configuration management, as even seemingly minor issues in core system packages can create significant security weaknesses. The flaw illustrates how authentication controls can be bypassed through configuration errors rather than complex exploits, emphasizing that system administrators must maintain proper oversight of core security components. The impact is particularly severe in automated environments where default configurations are not reviewed, as these systems may be deployed with vulnerable settings that persist until manually corrected, creating persistent security risks across multiple systems and potentially entire infrastructure deployments.