Linux Account Lockout Threshold Not Configured

漏洞信息

漏洞名称： Linux Account Lockout Threshold Not Configured

漏洞类型： 配置问题

漏洞等级： 高危

漏洞描述： 该漏洞涉及Linux系统中账户锁定阈值的未配置问题。Linux是一种广泛使用的开源操作系统，适用于服务器、桌面和嵌入式设备等多种场景。由于其高度的可定制性和灵活性，Linux在企业级服务和个人使用中都非常普遍。此漏洞的具体表现为系统未强制执行账户锁定阈值，这意味着系统不会限制重复的登录尝试，从而使系统容易受到暴力破解攻击。技术根源在于PAM（可插拔认证模块）模块中未正确配置账户锁定设置，特别是缺少对pam_tally2.so或pam_faillock.so模块的适当使用。这导致攻击者可以无限制地进行登录尝试，增加了系统被未授权访问的风险。从影响分析来看，这种配置问题虽然不会直接导致数据泄露或服务中断，但为暴力破解攻击提供了便利，可能间接导致更严重的安全事件，如账户被破解后的未授权访问。值得注意的是，利用此漏洞通常不需要认证，且可以自动化执行，因此其潜在的安全风险不容忽视。

产品名称： Linux

来源： https://github.com/projectdiscovery/nuclei-templates/blob/dfc176303ffebe3d9f231045fa3abe2cf2ca9874/misconfiguration%2Flinux%2Faccount-lockout-threshold-not-configured.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: account-lockout-threshold-not-configured

info:
  name: Linux Account Lockout Threshold Not Configured
  author: songyaeji
  severity: high
  description: >
    The system does not enforce an account lockout threshold. Without this control,
    repeated login attempts are not restricted, leaving the system vulnerable to brute-force attacks.
    This template checks whether account lockout settings are configured in PAM modules.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
    - Cloud Vulnerability Assessment Guide(2024) by KISA
  tags: linux,local,pam,auth,misconfiguration,compliance
  metadata:
    verified: true
    os: linux
    max-request: 3
  classification:
    cwe-id: CWE-307
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 5.5

self-contained: true

code:
  - engine:
      - bash
    source: |
      grep -E 'pam_tally2.so|pam_faillock.so' /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/common-auth 2>/dev/null || echo "no-lockout-config"
    matchers:
      - type: word
        part: code_1_response
        words:
          - "no-lockout-config"
      - type: regex
        part: code_1_response
        regex:
          - 'pam_tally2.so(?!.*deny=)'
          - 'pam_faillock.so(?!.*deny=)'