Bug 1036897 (CVE-2012-6150) - CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of
Summary: CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified...
Alias: CVE-2012-6150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1039499 1039500 1073352 1073353 1073356 1073357 1073905 1073913
Blocks: 1036900 1044102
TreeView+ depends on / blocked
Reported: 2013-12-02 21:16 UTC by Vincent Danen
Modified: 2023-05-12 17:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-04-10 05:45:54 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0330 0 normal SHIPPED_LIVE Moderate: samba and samba3x security update 2014-03-25 19:48:02 UTC
Red Hat Product Errata RHSA-2014:0383 0 normal SHIPPED_LIVE Moderate: samba4 security update 2014-04-09 21:41:27 UTC

Description Vincent Danen 2013-12-02 21:16:48 UTC
It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the require_membership_of option is used as an argument to pam_winbind, and contains a non-existent group as the value.  In such a configuration, rather then failing and not permitting authentication which is what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the group 'Admin', they will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was introduced October 2009 and another commit [3] looks like the fix, although that is for another bug [4] that's somewhat related to this issue and somewhat not.

[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598

Comment 1 Vincent Danen 2013-12-02 21:29:03 UTC
CVE request:


Comment 2 Andreas Schneider 2013-12-03 10:27:05 UTC
Dave put the wrong BUG URL into the commit message. It is https://bugzilla.samba.org/show_bug.cgi?id=10300

Comment 3 Vincent Danen 2013-12-06 16:54:43 UTC

Red Hat would like to thank Sam Richardson for reporting this issue.

Comment 4 Vincent Danen 2013-12-06 17:07:39 UTC
Also note that you must successfully authenticate, meaning you must have or know a username/password to authenticate with.  This just breaks group membership validation post-successful authentication.

Comment 5 Huzaifa S. Sidhpurwala 2013-12-09 06:05:51 UTC


Comment 7 Huzaifa S. Sidhpurwala 2013-12-09 09:44:35 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1039500]

Comment 8 Huzaifa S. Sidhpurwala 2013-12-09 09:46:37 UTC


Comment 14 errata-xmlrpc 2014-03-25 14:09:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0330 https://rhn.redhat.com/errata/RHSA-2014-0330.html

Comment 15 errata-xmlrpc 2014-04-09 17:43:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0383 https://rhn.redhat.com/errata/RHSA-2014-0383.html

Note You need to log in before you can comment on or make changes to this bug.