Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1441604 - (CVE-2017-7488) CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server
CVE-2017-7488 authconfig: Information leak when SSSD is used for authenticati...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170509,repor...
: Security
Depends On: 1444835 1449106
Blocks: 1415638 1441606
  Show dependency treegraph
 
Reported: 2017-04-12 06:25 EDT by Adam Mariš
Modified: 2017-08-01 04:47 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 04:47:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (2.99 KB, patch)
2017-04-21 09:03 EDT, Tomas Mraz 		no flags Details | Diff
Patch for RHEL-7.4 (2.97 KB, patch)
2017-04-25 07:00 EDT, Tomas Mraz 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2285 normal SHIPPED_LIVE Moderate: authconfig security, bug fix, and enhancement update 2017-08-01 07:26:21 EDT

  None (edit)
Description Adam Mariš 2017-04-12 06:25:24 EDT 
If SSSD is used for authentication against remote server, information whether given username is present on the system or not is leaked. On console login, there is no password prompt for invalid usernames and in case of SSHD there is noticeable difference in delay when giving valid and invalid username.

Affected configuration:

authconfig --enablesssdauth --update

Possible workaround (with side-effects):

authconfig --enablesysnetauth --update
Comment 1 Adam Mariš 2017-04-12 06:25:29 EDT 
Acknowledgments:

Name: Tomas Mraz (Red Hat), Thorsten Scherf (Red Hat)
Comment 2 Tomas Mraz 2017-04-12 07:33:31 EDT 
The question is whether fixing authconfig to produce non-vulnerable configuration is sufficient. Unfortunately there is no clear safe way to automatically fix the vulnerable configuration if present on the system.

At best we would have to require the system administrator to run authconfig --update as running authconfig automatically can break existing customer modifications of PAM configuration.
Comment 7 Tomas Mraz 2017-04-21 09:03 EDT 
Created attachment 1273319 [details]
Proposed patch

The patch fixes the configuration so pam_unix is skipped only for known non-local users which are not system users.
Comment 8 Tomas Mraz 2017-04-21 09:03:42 EDT 
The patch is for upstream master but can be trivially backported to RHEL 7.4
Comment 9 Pavel Březina 2017-04-24 04:29:51 EDT 
Patch looks good to me.
Comment 12 Tomas Mraz 2017-04-25 07:00 EDT 
Created attachment 1273876 [details]
Patch for RHEL-7.4

Untested patch for RHEL-7.4.
Comment 13 Pavel Březina 2017-05-04 07:45:28 EDT 
Can I include the fix in 7.4?
Comment 14 Tomas Mraz 2017-05-04 07:57:46 EDT 
I think you can include it, it won't go out before the embargo is lifted.
Comment 15 Cedric Buissart 2017-05-04 10:15:46 EDT 
Yes, all good
Comment 16 Pavel Březina 2017-05-05 08:03:26 EDT 
There a typo in this patch:
 60 +           if name == "succceed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE:
 61 +               args = args.replace("quiet_success", "quiet")

s/succceed_if/succeed_if
Comment 17 Pavel Březina 2017-05-05 08:29:40 EDT 
I fixed the typo and pushed to 7.4
Comment 19 Cedric Buissart 2017-05-09 04:50:09 EDT 
Created authconfig tracking bugs for this issue:

Affects: fedora-all [bug 1449106]
Comment 20 Cedric Buissart 2017-05-09 04:51:01 EDT 
Mitigation:

Possible workaround (with side-effects):
authconfig --enablesysnetauth --update
Comment 23 errata-xmlrpc 2017-08-01 03:28:49 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2285 https://access.redhat.com/errata/RHSA-2017:2285
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.