Source: cve@mitre.org
Vulnerability in passwd in SCO UNIX 4.0 and earlier allows attackers to cause a denial of service by preventing users from being able to log into the system.
SCO UNIX 4.0 and earlier systems are vulnerable to a denial-of-service (DoS) attack via the passwd utility, preventing legitimate users from logging in. This vulnerability allows attackers to disrupt system availability by manipulating the password change process, effectively locking out all users and causing a severe service outage.
Step 1: Trigger Password Change Attempts: The attacker initiates a large number of password change requests, either manually or through an automated script. This could involve attempting to change the password for existing users or even nonexistent accounts.
Step 2: Resource Consumption/Locking: The passwd utility, when processing these requests, may attempt to lock or access system resources (e.g., /etc/passwd file, shadow password file, or other related files) in a way that leads to a resource exhaustion or locking conflict.
Step 3: Denial of Service: The excessive resource usage or locking prevents legitimate users from successfully changing their passwords, effectively locking them out of the system. This can also lead to the system becoming unresponsive or crashing, resulting in a denial-of-service (DoS).
The vulnerability lies within the passwd utility in SCO UNIX 4.0 and earlier. The exact mechanism is not explicitly detailed in the CVE description, but it likely involves a flaw in how passwd handles password changes, potentially related to file locking or resource allocation during the update of the /etc/passwd file or shadow password files. A likely scenario involves a race condition or a resource exhaustion vulnerability. An attacker could potentially trigger the vulnerability by repeatedly attempting to change passwords, causing the system to become unresponsive or preventing legitimate users from changing their passwords and logging in. The lack of proper error handling or resource management within the passwd utility is the root cause.
Due to the age of the vulnerability, it is unlikely to be directly targeted by sophisticated APTs. However, it could be exploited by less skilled attackers or used as part of a broader attack chain targeting legacy systems. This vulnerability is not listed on the CISA KEV catalog.
Monitor system logs for a high volume of failed password change attempts, especially from the same source IP address or user accounts.
Analyze system resource usage (CPU, memory, disk I/O) for unusual spikes, particularly during password change operations.
Examine /var/log/auth.log or similar logs for repeated passwd related errors or failures.
Monitor network traffic for unusual patterns of password change requests.
Upgrade to a supported version of SCO UNIX or a modern operating system. This is the most effective remediation.
If upgrading is not possible, apply all available security patches for SCO UNIX 4.0 and earlier. However, patches may be difficult to find.
Implement strict access controls to the passwd utility, limiting who can execute it.
Monitor system logs and network traffic for suspicious activity related to password changes.
Consider using a more secure password management system if possible.
Implement rate limiting on password change attempts to mitigate potential DoS attacks.