CybserSecurity News

Tag: PAM

  • Tailsnitch: The Essential Security Watchdog for Your Tailscale Network

    Tailsnitch

    A security auditor for Tailscale configurations. Tailsnitch scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations.

    Tailscale is a Zero Trust identity-based connectivity platform that replaces your legacy VPN, SASE, and PAM and connects remote teams, multi-cloud environments, CI/CD pipelines, Edge & IoT devices, and AI workloads.

    Out-of-the-box, Tailscale solves many networking headaches. It has a customizable configuration to meet the demands of managing a distributed workforce. Tailscale helps provision for internal self-hosted and external third-party applications. It scales for growth as your requirements change.

    Security Checks

    Tailsnitch performs 52 security checks across 7 categories. See docs/CHECKS.md for detailed documentation of each check.

    Critical Severity

    ID Check Risk
    ACL-001 Default ‘allow all’ policy All devices have unrestricted access
    ACL-002 SSH autogroup:nonroot misconfiguration SSH as any non-root user
    ACL-006 tagOwners too broad Privilege escalation via tags
    ACL-007 autogroup:danger-all usage Access granted to external users

    High Severity

    ID Check Risk
    AUTH-001 Reusable auth keys Unlimited device additions if stolen
    AUTH-002 Long expiry auth keys Extended exposure window
    AUTH-003 Pre-authorized keys Bypass device approval
    DEV-001 Tagged devices without key expiry Indefinite access
    DEV-002 User devices tagged Persist after user removal
    DEV-010 Tailnet Lock disabled No protection against stolen keys
    DEV-012 Pending Tailnet Lock signatures Unsigned nodes need review
    NET-001 Funnel exposure Public internet access
    NET-003 Subnet router trust boundary Unencrypted traffic on local network
    SSH-002 Root SSH without check mode No re-authentication required

    Medium Severity

    ID Check Risk
    ACL-004 autogroup:member usage External users included
    ACL-005 AutoApprovers configured Bypass route approval
    AUTH-004 Non-ephemeral CI/CD keys Stale devices accumulate
    DEV-003 Outdated clients Potential vulnerabilities
    DEV-004 Stale devices Unused attack surface
    DEV-005 Unauthorized devices Pending approval queue
    DEV-007 Sensitive machine names CT log exposure
    DEV-009 Device approval config May not be enabled
    NET-004 HTTPS CT log exposure Machine names public
    NET-005 Exit node traffic visibility Operator sees all traffic
    NET-006 Serve exposure Local services on tailnet
    SSH-003 Recorder UI exposure Sessions visible to network

    Informational

     

    Checks for logging configuration, DNS settings, user roles, and manual verification items.

    Install & Use

  • Plague Backdoor: New Linux Malware Infiltrates Authentication Stack, Evading Detection for a Year

    For nearly a year, a malicious module known as Plague evaded detection by Linux security solutions, despite its active proliferation and deep entrenchment within one of the system’s most critical components—the authentication stack. Its presence was only uncovered through the forensic analysis of artifacts uploaded to VirusTotal in late July 2024. To date, none of the samples have been flagged as threats by antivirus engines, underscoring the module’s exceptional stealth and the meticulous caution of its developers.

    According to researchers at Nextron Systems, Plague disguises itself as a legitimate PAM component—the Pluggable Authentication Module system, which governs access to virtually all services on Linux and UNIX platforms. By embedding itself into these authentication routines, the malicious code inherits the same privileges as native modules, allowing it to subvert authentication processes almost imperceptibly. This grants attackers persistent remote access via SSH, along with the ability to intercept user credentials silently and without leaving a trace.

    What sets Plague apart is its deliberate resistance to forensic scrutiny. It employs anti-debugging techniques, obfuscates strings and system calls, and manipulates environment variables associated with SSH sessions. Notably, it removes variables such as SSH_CONNECTION and SSH_CLIENT using the unsetenv function and redirects command history to /dev/null, effectively nullifying any audit trail in the shell history (HISTFILE).

    A particularly dangerous feature of this module is its resilience to system updates. Owing to its deep integration into the PAM infrastructure, Plague remains embedded even after service restarts and the installation of new packages. This combination of persistence and invisibility renders it especially perilous in enterprise environments, where PAM often falls beyond the reach of routine threat scanners.

    Moreover, Nextron’s researchers identified multiple variants of the module, suggesting an ongoing development phase and the possible testing of diverse configurations on live systems. This could indicate either a forthcoming large-scale campaign or an active infiltration of targeted infrastructures already underway.

    Plague is not merely another piece of Linux malware—it is emblematic of an evolving class of threats in which the attack begins not with the exploitation of vulnerabilities but with the subversion of trusted system components. This paradigm is particularly alarming given PAM’s limited visibility in standard monitoring tools and the insufficient protection of its loading chains. With its ability to fully emulate legitimate behavior and leave no discernible footprint, Plague could remain hidden for years—once, it already did.