Bug 1441604 (CVE-2017-7488)
Summary: | CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | dapospis, jlieskov, jpazdziora, mkosek, pbrezina, pkis, security-response-team, tmraz, tscherf | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: |
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-08-01 08:47:18 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1444835, 1449106 | ||||||||
Bug Blocks: | 1415638, 1441606 | ||||||||
Attachments: |
|
Description
Adam Mariš
2017-04-12 10:25:24 UTC
Acknowledgments: Name: Tomas Mraz (Red Hat), Thorsten Scherf (Red Hat) The question is whether fixing authconfig to produce non-vulnerable configuration is sufficient. Unfortunately there is no clear safe way to automatically fix the vulnerable configuration if present on the system. At best we would have to require the system administrator to run authconfig --update as running authconfig automatically can break existing customer modifications of PAM configuration. Created attachment 1273319 [details]
Proposed patch
The patch fixes the configuration so pam_unix is skipped only for known non-local users which are not system users.
The patch is for upstream master but can be trivially backported to RHEL 7.4 Patch looks good to me. Created attachment 1273876 [details]
Patch for RHEL-7.4
Untested patch for RHEL-7.4.
Can I include the fix in 7.4? I think you can include it, it won't go out before the embargo is lifted. Yes, all good There a typo in this patch: 60 + if name == "succceed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE: 61 + args = args.replace("quiet_success", "quiet") s/succceed_if/succeed_if I fixed the typo and pushed to 7.4 Created authconfig tracking bugs for this issue: Affects: fedora-all [bug 1449106] Mitigation: Possible workaround (with side-effects): authconfig --enablesysnetauth --update This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2285 https://access.redhat.com/errata/RHSA-2017:2285 |