Key Information Vulnerability Description CVE Number: CVE-2024-10963 Discovery Date: November 7, 2024 Last Updated: November 10, 2024 Impact Level: Important CVSS v3 Score: 7.4 Vulnerability Details Description: A flaw in pam_access due to improper handling allows attackers to bypass access restrictions by forging hostnames, compromising configurations, and restricting access to specific TTYs or services. This vulnerability poses a risk in environments relying on such configurations. Risk Mitigation Measures Ensure DNS hostnames do not match local TTY or service names. Implement DNSSEC to prevent spoofing of DNS responses. Consider reconfiguring pam_access to accept only fully qualified domain names (FQDNs). Affected Packages and Red Hat Security Patches Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 Red Hat OpenShift Container Platform 4 CVSS v3 Score Details CVSS v3 Base Score: 7.4 Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: None Frequently Asked Questions Why does Red Hat’s CVSS v3 score or impact differ from other vendors? My product is listed as “under investigation” or “affected”—when will Red Hat release a fix for this vulnerability? If my product is listed as “not being fixed,” what should I do? If my product is listed as “fix delayed,” what should I do? What are mitigations? I have a Red Hat product, but it’s not listed above—am I affected? Why is my security scanner reporting this vulnerability on my product, even though my product version is patched or unaffected? My product is listed as “out of support.” What does that mean? Unsure what a term means? Check our Security Glossary. Copyright and Disclaimer This page is generated by Red Hat and has not been reviewed to ensure accuracy or completeness. Copyright © 2021 MITRE Corporation.