Bug 1036897 (CVE-2012-6150)

Summary: CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, asn, gdeschner, jkurik, jlayton, pfrields, sbose, ssorce, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120612,reported=20131202,source=upstream,cvss2=2.9/AV:A/AC:H/Au:S/C:P/I:P/A:N,rhel-6/samba=affected,rhel-5/samba=notaffected,rhel-5/samba3x=affected,rhel-6/samba4=affected,rhel-7/samba=notaffected,fedora-all/samba=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-10 01:45:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1039499, 1039500, 1073352, 1073353, 1073356, 1073357, 1073905, 1073913    
Bug Blocks: 1036900, 1044102    

Description Vincent Danen 2013-12-02 16:16:48 EST 
It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the require_membership_of option is used as an argument to pam_winbind, and contains a non-existent group as the value.  In such a configuration, rather then failing and not permitting authentication which is what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the group 'Admin', they will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was introduced October 2009 and another commit [3] looks like the fix, although that is for another bug [4] that's somewhat related to this issue and somewhat not.


[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598
Comment 1 Vincent Danen 2013-12-02 16:29:03 EST 
CVE request:

http://www.openwall.com/lists/oss-security/2013/12/02/5
Comment 2 Andreas Schneider 2013-12-03 05:27:05 EST 
Dave put the wrong BUG URL into the commit message. It is https://bugzilla.samba.org/show_bug.cgi?id=10300
Comment 3 Vincent Danen 2013-12-06 11:54:43 EST 
Acknowledgements:

Red Hat would like to thank Sam Richardson for reporting this issue.
Comment 4 Vincent Danen 2013-12-06 12:07:39 EST 
Also note that you must successfully authenticate, meaning you must have or know a username/password to authenticate with.  This just breaks group membership validation post-successful authentication.
Comment 5 Huzaifa S. Sidhpurwala 2013-12-09 01:05:51 EST 
Reference:

http://www.samba.org/samba/security/CVE-2012-6150
Comment 7 Huzaifa S. Sidhpurwala 2013-12-09 04:44:35 EST 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1039500]
Comment 8 Huzaifa S. Sidhpurwala 2013-12-09 04:46:37 EST 
Statement:

(none)
Comment 14 errata-xmlrpc 2014-03-25 10:09:55 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0330 https://rhn.redhat.com/errata/RHSA-2014-0330.html
Comment 15 errata-xmlrpc 2014-04-09 13:43:21 EDT 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0383 https://rhn.redhat.com/errata/RHSA-2014-0383.html