Bug 1441604 (CVE-2017-7488)

Summary: CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dapospis, jlieskov, jpazdziora, mkosek, pbrezina, pkis, security-response-team, tmraz, tscherf
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 08:47:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1444835, 1449106    
Bug Blocks: 1415638, 1441606    
Attachments:
Description Flags
Proposed patch
none
Patch for RHEL-7.4 none

Description Adam Mariš 2017-04-12 10:25:24 UTC 
If SSSD is used for authentication against remote server, information whether given username is present on the system or not is leaked. On console login, there is no password prompt for invalid usernames and in case of SSHD there is noticeable difference in delay when giving valid and invalid username.

Affected configuration:

authconfig --enablesssdauth --update

Possible workaround (with side-effects):

authconfig --enablesysnetauth --update
Comment 1 Adam Mariš 2017-04-12 10:25:29 UTC 
Acknowledgments:

Name: Tomas Mraz (Red Hat), Thorsten Scherf (Red Hat)
Comment 2 Tomas Mraz 2017-04-12 11:33:31 UTC 
The question is whether fixing authconfig to produce non-vulnerable configuration is sufficient. Unfortunately there is no clear safe way to automatically fix the vulnerable configuration if present on the system.

At best we would have to require the system administrator to run authconfig --update as running authconfig automatically can break existing customer modifications of PAM configuration.
Comment 7 Tomas Mraz 2017-04-21 13:03:05 UTC 
Created attachment 1273319 [details]
Proposed patch

The patch fixes the configuration so pam_unix is skipped only for known non-local users which are not system users.
Comment 8 Tomas Mraz 2017-04-21 13:03:42 UTC 
The patch is for upstream master but can be trivially backported to RHEL 7.4
Comment 9 Pavel Březina 2017-04-24 08:29:51 UTC 
Patch looks good to me.
Comment 12 Tomas Mraz 2017-04-25 11:00:30 UTC 
Created attachment 1273876 [details]
Patch for RHEL-7.4

Untested patch for RHEL-7.4.
Comment 13 Pavel Březina 2017-05-04 11:45:28 UTC 
Can I include the fix in 7.4?
Comment 14 Tomas Mraz 2017-05-04 11:57:46 UTC 
I think you can include it, it won't go out before the embargo is lifted.
Comment 15 Cedric Buissart 2017-05-04 14:15:46 UTC 
Yes, all good
Comment 16 Pavel Březina 2017-05-05 12:03:26 UTC 
There a typo in this patch:
 60 +           if name == "succceed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE:
 61 +               args = args.replace("quiet_success", "quiet")

s/succceed_if/succeed_if
Comment 17 Pavel Březina 2017-05-05 12:29:40 UTC 
I fixed the typo and pushed to 7.4
Comment 19 Cedric Buissart 2017-05-09 08:50:09 UTC 
Created authconfig tracking bugs for this issue:

Affects: fedora-all [bug 1449106]
Comment 20 Cedric Buissart 2017-05-09 08:51:01 UTC 
Mitigation:

Possible workaround (with side-effects):
authconfig --enablesysnetauth --update
Comment 23 errata-xmlrpc 2017-08-01 07:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2285 https://access.redhat.com/errata/RHSA-2017:2285