Bug ID 428735: TACACS+ system auth and file descriptors leak

Last Modified: Sep 15, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF9, 11.2.1 HF16

Opened: Aug 23, 2013
Severity: 1-Blocking
Related Article:
K14677

Symptoms

Administrative access to the system with remote authenticated accounts fails , and the following is seen in the security log (/var/log/secure): httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account.

Impact

If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Conditions

Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route.

Workaround

Several workaround options: 1. Use a system auth method other than TACACS+. 2. Use only SSH for administrative access. 3. Restart httpd as needed.

Fix Information

A TACACS+ system auth and file descriptors leak has been corrected.

Behavior Change