Bug 711419 (CVE-2011-1526)
Summary: | CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | asanders, bressers, dpal, jplans, mjc, nalin, pmatouse, prc, security-response-team, vdanen, zmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-21 08:47:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 713341, 713342, 719095, 719098 | ||
Bug Blocks: | 712346, 742493 |
Description
Jan Lieskovsky
2011-06-07 13:06:19 UTC
This issue affects the versions of the krb5 package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of the krb5-appl package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the krb5-appl package, as shipped with Fedora release of 14 and 15. As noted in the upstream advisory, there are 2 issues really: First, there was problem introduced when splitting various kerberized applications out of krb5 sources to a separate krb5-appl packages. A missing check in configure script caused krb5_setegid() to be incorrectly defined as always returning error without trying to change egid at all. Second, the return value of krb5_setegid() was not checked, causing ftpd to not detect the problem and continue without changed effective group privileges. Both problems combined resulted in users' ftpd sessions running with egid == 0, i.e. with root group privileges. This problem affected Red Hat Enterprise Linux 6 and Fedora. The krb5 versions in Red Hat Enterprise Linux 4 and 5 were only affected by the second problem. This is still a potential problem, but without the first issue, there's no easy way to an attacker to trigger setegid failure. We plan to address the return value checking problem in the future krb5 packages update in Red Hat Enterprise Linux 4 and 5. Statement: This issue was addressed in krb5-appl packages in Red Hat Enterprise Linux 6 via RHSA-2011:0920 and krb5 packages in Red Hat Enterprise Linux 5 via RHSA-2012:0306. This issue is not planned to be addressed in Red Hat Enterprise Linux 4, where this issue was rated as having low security impact. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0920 https://rhn.redhat.com/errata/RHSA-2011-0920.html Created krb5-appl tracking bugs for this issue Affects: fedora-all [bug 719095] IssueDescription: It was found that ftpd, a Kerberos-aware FTP server, did not properly drop privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check for the potential failure of the krb5_setegid() function call. On systems where the set real, set effective, or set saved group ID system calls might fail, a remote FTP user could use this flaw to gain unauthorized read or write access to files that were owned by the root group. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0306 https://rhn.redhat.com/errata/RHSA-2012-0306.html |