Bug 1036897 (CVE-2012-6150)

Summary: CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, asn, gdeschner, jkurik, jlayton, pfrields, sbose, ssorce, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-10 05:45:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1039499, 1039500, 1073352, 1073353, 1073356, 1073357, 1073905, 1073913    
Bug Blocks: 1036900, 1044102    

Description Vincent Danen 2013-12-02 21:16:48 UTC 
It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the require_membership_of option is used as an argument to pam_winbind, and contains a non-existent group as the value.  In such a configuration, rather then failing and not permitting authentication which is what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the group 'Admin', they will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was introduced October 2009 and another commit [3] looks like the fix, although that is for another bug [4] that's somewhat related to this issue and somewhat not.


[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598
Comment 1 Vincent Danen 2013-12-02 21:29:03 UTC 
CVE request:

http://www.openwall.com/lists/oss-security/2013/12/02/5
Comment 2 Andreas Schneider 2013-12-03 10:27:05 UTC 
Dave put the wrong BUG URL into the commit message. It is https://bugzilla.samba.org/show_bug.cgi?id=10300
Comment 3 Vincent Danen 2013-12-06 16:54:43 UTC 
Acknowledgements:

Red Hat would like to thank Sam Richardson for reporting this issue.
Comment 4 Vincent Danen 2013-12-06 17:07:39 UTC 
Also note that you must successfully authenticate, meaning you must have or know a username/password to authenticate with.  This just breaks group membership validation post-successful authentication.
Comment 5 Huzaifa S. Sidhpurwala 2013-12-09 06:05:51 UTC 
Reference:

http://www.samba.org/samba/security/CVE-2012-6150
Comment 7 Huzaifa S. Sidhpurwala 2013-12-09 09:44:35 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1039500]
Comment 8 Huzaifa S. Sidhpurwala 2013-12-09 09:46:37 UTC 
Statement:

(none)
Comment 14 errata-xmlrpc 2014-03-25 14:09:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0330 https://rhn.redhat.com/errata/RHSA-2014-0330.html
Comment 15 errata-xmlrpc 2014-04-09 17:43:21 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0383 https://rhn.redhat.com/errata/RHSA-2014-0383.html