Bug 1036897 - (CVE-2012-6150) CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of
CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1039499 1039500 1073352 1073353 1073356 1073357 1073905 1073913
Blocks: 1036900 1044102
  Show dependency treegraph
Reported: 2013-12-02 16:16 EST by Vincent Danen
Modified: 2016-02-15 07:09 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-04-10 01:45:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-12-02 16:16:48 EST
It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the require_membership_of option is used as an argument to pam_winbind, and contains a non-existent group as the value.  In such a configuration, rather then failing and not permitting authentication which is what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the group 'Admin', they will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was introduced October 2009 and another commit [3] looks like the fix, although that is for another bug [4] that's somewhat related to this issue and somewhat not.

[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598
Comment 1 Vincent Danen 2013-12-02 16:29:03 EST
CVE request:

Comment 2 Andreas Schneider 2013-12-03 05:27:05 EST
Dave put the wrong BUG URL into the commit message. It is https://bugzilla.samba.org/show_bug.cgi?id=10300
Comment 3 Vincent Danen 2013-12-06 11:54:43 EST

Red Hat would like to thank Sam Richardson for reporting this issue.
Comment 4 Vincent Danen 2013-12-06 12:07:39 EST
Also note that you must successfully authenticate, meaning you must have or know a username/password to authenticate with.  This just breaks group membership validation post-successful authentication.
Comment 5 Huzaifa S. Sidhpurwala 2013-12-09 01:05:51 EST

Comment 7 Huzaifa S. Sidhpurwala 2013-12-09 04:44:35 EST
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1039500]
Comment 8 Huzaifa S. Sidhpurwala 2013-12-09 04:46:37 EST

Comment 14 errata-xmlrpc 2014-03-25 10:09:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0330 https://rhn.redhat.com/errata/RHSA-2014-0330.html
Comment 15 errata-xmlrpc 2014-04-09 13:43:21 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0383 https://rhn.redhat.com/errata/RHSA-2014-0383.html

Note You need to log in before you can comment on or make changes to this bug.