Bug 459217 (CVE-2008-4313)

Summary: CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
Product: [Other] Security Response Reporter: Tim Potter <tpot>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adaora.onyia, doug.chapman, dwa, jlieskov, kreilly, kvolny, rick.hester, rvokal, security-response-team, tao, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-09 09:05:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 471370, 471371    
Bug Blocks:    
Attachments:
Description Flags
fixed local-or-remote-patch none

Description Tim Potter 2008-08-15 02:52:59 UTC 
Description of problem:

While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases.  It's always set to the service name, "wbem".  I believe this completely bypasses the security settings in /etc/Pegasus/access.conf.

To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root.  By default this should not work, but it does.  If you change the access.conf file from:

-: ALL EXCEPT pegasus:wbemNetwork

to:

-: ALL EXCEPT pegasus:wbem

and retry accessing PG_ComputerSystem, the request fails as it is supposed to.

Looking at the differences between the local-or-remote-auth patch in 
tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused.

Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2008-08-15 08:53:01 UTC 
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch.

As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.
Comment 3 Vitezslav Crhonek 2008-10-13 15:06:41 UTC 
Created attachment 320192 [details]
fixed local-or-remote-patch

Proposed patch (NOT tested yet!)

Not very nice, but it's only provisional solution till this functionality will be part of upstream.
Comment 5 Jan Lieskovsky 2008-11-13 10:37:12 UTC 
This issue affects all versions of the tog-pegasus package, as shipped
with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10.

This issue does NOT affect the versions of the tog-pegasus package,
as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.
Comment 9 Fedora Update System 2008-11-14 17:32:14 UTC 
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.1-3.fc10
Comment 10 Fedora Update System 2008-11-14 18:25:56 UTC 
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.0-7.fc9
Comment 13 Red Hat Product Security 2009-01-09 09:05:15 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-1001.html

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10061
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9688