Bug 243204 (CVE-2007-3102)

Summary: CVE-2007-3102 audit logging of failed logins
Product: [Other] Security Response Reporter: Steve Grubb <sgrubb>
Component: vulnerabilityAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0555 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 15:40:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch addressing the issues listed above none

Description Steve Grubb 2007-06-07 20:53:50 UTC 
Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim

causes:

type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)'


Version-Release number of selected component (if applicable):
all recent versions

Additional info:
Fixing this requires a small patch to pam to use a different audit logging function.
Comment 4 Steve Grubb 2007-06-08 19:02:30 UTC 
Created attachment 156601 [details]
Patch addressing the issues listed above

This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)
Comment 6 Tomas Mraz 2007-06-14 10:11:02 UTC 
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
audit-libs errata.
Comment 7 Steve Grubb 2007-06-14 12:12:21 UTC 
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.
Comment 8 Tomas Mraz 2007-06-14 13:10:12 UTC 
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.
Comment 9 Mark J. Cox 2007-06-15 13:19:13 UTC 
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102
Comment 10 Tomas Mraz 2007-06-22 21:18:32 UTC 
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.
Comment 14 Mark J. Cox 2007-11-07 14:14:43 UTC 
opening bug, removing embargo
Comment 15 errata-xmlrpc 2007-11-07 15:40:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html