Bug 459217 (CVE-2008-4313)

Summary: CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
Product: [Other] Security Response Reporter: Tim Potter <tpot>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adaora.onyia, doug.chapman, dwa, jlieskov, kreilly, kvolny, rick.hester, rvokal, security-response-team, tao, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-09 09:05:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 471370, 471371    
Bug Blocks:    
Description Flags
fixed local-or-remote-patch none

Description Tim Potter 2008-08-15 02:52:59 UTC
Description of problem:

While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases.  It's always set to the service name, "wbem".  I believe this completely bypasses the security settings in /etc/Pegasus/access.conf.

To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root.  By default this should not work, but it does.  If you change the access.conf file from:

-: ALL EXCEPT pegasus:wbemNetwork


-: ALL EXCEPT pegasus:wbem

and retry accessing PG_ComputerSystem, the request fails as it is supposed to.

Looking at the differences between the local-or-remote-auth patch in 
tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused.

Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Vitezslav Crhonek 2008-08-15 08:53:01 UTC
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch.

As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.

Comment 3 Vitezslav Crhonek 2008-10-13 15:06:41 UTC
Created attachment 320192 [details]
fixed local-or-remote-patch

Proposed patch (NOT tested yet!)

Not very nice, but it's only provisional solution till this functionality will be part of upstream.

Comment 5 Jan Lieskovsky 2008-11-13 10:37:12 UTC
This issue affects all versions of the tog-pegasus package, as shipped
with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10.

This issue does NOT affect the versions of the tog-pegasus package,
as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.

Comment 9 Fedora Update System 2008-11-14 17:32:14 UTC
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10.

Comment 10 Fedora Update System 2008-11-14 18:25:56 UTC
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9.