Hello, welcome to the Tuesday, November 9, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today we've got a diary from Xavier talking about Palm the plugable of vacation modules. Now, this is a security feature and a security tool,

but Xavier talks about how attackers may abuse this tool. The way Palm works is that you're able

to set up configuration files for different services, so for example, SSH, LDAB, but also for

authentication actions like, for example, pseudo, and you can then define modules that will, for example,

check passwords, check multifactor authentication keys, or whatever you want to use for authentication. Of course, authentication is always

critical for security. An attacker able to manipulate these configuration files is highly dangerous.

In the simplest form, an attacker could, for example, just enable some weak authentication mechanisms,

and with that bypass some hardening that, for example, you took for SSH or other exposed services.

But then there are also some outright malicious palm modules, for example, Palm Steel, which,

well, as the name implies, steals your credentials.

The Palm modules, of course, have access to your credentials, because after all, they're used

to verify them.

And this very simple module, as Xavier mentions, only 40 lines of code,

allows the attacker to dump any credentials entered by the user into a flat file. Monitoring your

Palm configuration is certainly critical and something that should be done continuously.

Some kind of file integrity monitor is what Xavier here suggests.

And that's certainly a good idea.

Also, it's not just Linux.

A lot of Unix and BSD-like systems, like for example, MacOS are using this for authentication and definitely

treat all these configuration files as highly sensitive, and they should never really change.

So doing some kind of file integrity monitoring makes a lot of sense here.

...