1258700 – (CVE-2015-5246) CVE-2015-5246 Foreman: previous password still allowed to log into foreman with Active Directory backend

Bug 1258700 (CVE-2015-5246) - CVE-2015-5246 Foreman: previous password still allowed to log into foreman with Active Directory backend

Summary: CVE-2015-5246 Foreman: previous password still allowed to log into foreman wi...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-5246
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1258701
TreeView+	depends on / blocked

Reported:	2015-09-01 03:56 UTC by Kurt Seifried
Modified:	2021-02-17 04:58 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-09-01 05:24:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2015-09-01 03:56:16 UTC

larry campbell reports via the foreman bug tracker:

This was found on Foreman 1.9.0:

I came across this issue by chance. I was forced to change my Active Directory password today. After doing so, I then (mistakenly) attempted to log onto Foreman with my previous password and was able to successfully log in. The new password also worked. I tried with other browsers and even another workstation that I had never logged onto and all attempts allowed me to log on with my non-valid previous password. Perhaps something on foreman/passenger/ruby/etc is caching my credential and not re-checking?

Initial Setup:
Have an Active Directory enviornment available for LDAP Authentication. Setup LDAP Authentication Source in Foreman and have a test user account created in Active Directory.

Steps to recreate:
1. Log on to Foreman with the Active Directory user. This should succeed. Log off.
2. Change your Active Directory account's password.
3. Log on to Foreman with the Active Directory user, and use the previous password. This should fail with authentication denied method, however it succeeds.

Upstream references:
http://projects.theforeman.org/issues/11471

Comment 1 Ján Rusnačko 2015-09-01 05:14:50 UTC

If I remember correctly I ran into this back in the past - this is a feature in Active Directory. It remembers the old password for some time to allow you to log back in should you mess up your new password. I think there`s some timeout, maybe 5 minutes? after which the old password won`t be usable. 

If Foreman delegates authentication to Active Directory, this is how it`ll look like. However, since authentication is delegated to Active Directory this cannot be a vulnerability in Foreman.

Comment 2 Ján Rusnačko 2015-09-01 05:24:43 UTC

Googled a bit and the timeout is 1 hour.

References:
http://serverfault.com/questions/461139/ntlm-auth-can-login-in-ad-with-both-old-and-new-passwords
https://support.microsoft.com/en-us/kb/906305
http://timstechnoblog.blogspot.cz/2010/02/old-password-still-valid-for-hour.html

Comment 3 Doran Moppert 2020-02-11 00:29:16 UTC

Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
bkearney
chrisw
cpelland
dallan
gkotton
jrusnack
jschluet
katello-bugs
lhh
lpeer
markmc
mburns
mmccune
ohadlevy
rbryant
rhos-maint
sclewis
tdecacqu
tjay
tlestach
yeylon