CVE-2017-20002: 
Linux Debian vulnerability analysis and mitigation

The Debian shadow package before 1:4.5-1 contained a security vulnerability (CVE-2017-20002) where pts/0 and pts/1 were incorrectly listed as physical terminals in /etc/securetty. This vulnerability was discovered and disclosed in March 2021, affecting Debian systems using the shadow package versions prior to 4.5-1 (Debian LTS, NVD).

The vulnerability stems from an incorrect configuration in the /etc/securetty file that lists pts/0 and pts/1 as physical terminals. This misconfiguration allows bypassing of PAM's nullok_secure configuration. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability allows local users to login as password-less users even when connected through non-physical means such as SSH, bypassing intended security restrictions. This particularly impacts environments such as virtual machines that are automatically generated with default blank root passwords, effectively allowing all local users to escalate privileges (Debian LTS, Debian Bug).

The vulnerability was fixed in shadow version 1:4.5-1 by removing pts/0 and pts/1 from the /etc/securetty file. For Debian 9 (stretch), the fix was backported in version 1:4.4-4.1+deb9u1. It's worth noting that /etc/securetty was completely dropped in Debian 11/bullseye as a more comprehensive solution (Debian LTS).