util-linux Improper Hostname Canonicalization Vulnerability in login Utility

A vulnerability exists in the util-linux package, specifically in the login utility when used with the -h option. The issue arises from improper hostname canonicalization, which can alter the provided remote hostname before it is assigned to PAM_RHOST. This flaw could be exploited by a remote attacker who sends a specially crafted hostname, potentially circumventing host-based Pluggable Authentication Modules (PAM) access control that depends on fully qualified domain names. Such an exploitation could lead to unauthorized access.

Impact

Exploitation of this vulnerability can bypass host-based PAM access control rules, particularly those that differentiate between fully qualified domain names and short hostnames. This could result in unauthorized access, undermining the intended security policies managed by PAM.

Reproduction

To reproduce this vulnerability, access a remote login pathway that invokes the login utility with the -h option, such as through telnet or rlogin-style daemons. Ensure that the target system uses PAM modules that rely on PAM_RHOST for authorization, like pam_access, and that the local system hostname shares the same domain suffix as the attacker-supplied hostname. This combination can exploit the hostname canonicalization flaw, potentially bypassing PAM access controls.