CVE-1999-1346

Vulnerability

CVE-1999-1346 is a PAM configuration ordering flaw in Red Hat Linux 6.1 and earlier. The /etc/pam.d/rlogin file places a less restrictive auth sufficient rule for pam_rhosts_auth.so before a more restrictive auth required rule for pam_nologin.so. This allows rlogin sessions to succeed without checking the /etc/nologin file, which is intended to block all non-root logins (e.g., during maintenance). The flawed ordering is present in Red Hat Linux 6.0 and 6.1 [1].

Exploitation

An attacker with network access to the host and valid rlogin credentials (or a host in .rhosts) can connect via rlogin even after the administrator has created /etc/nologin to deny all logins. No special privileges or user interaction beyond standard network access are required; the attacker simply invokes the rlogin command [1].

Impact

Successful exploitation circumvents the system-wide login restriction imposed by /etc/nologin, granting the attacker a remote shell session. This is an authorization bypass that compromises system integrity and availability (the administrator’s intended lockdown is defeated) [1].

Mitigation

Red Hat has acknowledged the issue as a configuration error. The fix is to reorder the rules in /etc/pam.d/rlogin so that pam_nologin.so is checked before pam_rhosts_auth.so, or to delete the duplicate pam_rhosts_auth.so entry if it is redundant. No official patched version has been released; administrators must manually correct the PAM configuration file [1].