Vulnerability Note VU#249491

IBM AIX login fails to adequately authenticate user when configured to use loadable authentication modules

Original Release date: 21 Dec 2001 | Last revised: 21 Dec 2001


There is a remotely exploitable flaw in IBM's AIX 5.1L login when using loadable authentication modules. This does not affect AIX 4.3 and earlier.


IBM AIX 5.1L login, with loadable authentication modules enabled and some non-default configurations, will permit users to login with an invalid password. This can be used to gain root access to the system. IBM AIX 4.3 and earlier are not affected by this vulnerability. IBM has issued an advisory addressing this issue.


An intruder can gain root access to the system.


IBM Has issued an advisory, and assigned this issue APAR #IY26302.

Disable integrated login permissions.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
IBMAffected-21 Dec 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Our thanks to IBM for the information contained in their advisory.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 19 Dec 2001
  • Date First Published: 21 Dec 2001
  • Date Last Updated: 21 Dec 2001
  • Severity Metric: 28.35
  • Document Revision: 6


If you have feedback, comments, or additional information about this vulnerability, please send us email.