Red Hat Bugzilla – Bug 1228571
CVE-2015-3238 pam: DoS/user enumeration due to blocking pipe in pam_unix module
Last modified: 2016-01-22 05:03:04 EST
From the original report: "If SELinux is enabled, the _unix_run_helper_binary function in Linux-PAM 1.1.8 and earlier hangs indefinitely when verifying a password of 65536 characters, which allows attackers to conduct username enumeration and denial of service attacks. When supplying a password of 65536 characters or more, the process will block on the write(2) call at modules/pam_unix/support.c:614 because it tries to write strlen(passwd)+1 bytes to a blocking pipe and a pipe has a limited capacity of 65536 bytes on Linux." Acknowledgements: Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for reporting this issue.
So we (as PAM upstream developers) acknowledge the issue. I developed a patch that was reviewed by peer upstream developers and we will do a release after vendor notification. Can we get a CVE assigned?
Created attachment 1038860 [details] The patch limiting the supported password length to 512 bytes
Public via: http://www.openwall.com/lists/oss-security/2015/06/25/13
pam-1.1.8-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.1.8-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
In the patch provided linux-pam/modules/pam_unix/pam_unix_passwd.c static int _unix_run_update_binary There is a "else" missing for both "if (fromwhat) " and "if (towhat)", Hence this ends up in writing "pam_modutil_write(fds[1], "", 1);" irrespective of the value. Is it something expected or is it a bug in the patch? Thanks, -
Yes, that is fully intentional as we need to write the NULL byte as well.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2015:1640 https://rhn.redhat.com/errata/RHSA-2015-1640.html