Bug 1441604 (CVE-2017-7488) - CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server
Summary: CVE-2017-7488 authconfig: Information leak when SSSD is used for authenticati...
Alias: CVE-2017-7488
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1444835 1449106
Blocks: 1415638 1441606
TreeView+ depends on / blocked
Reported: 2017-04-12 10:25 UTC by Adam Mariš
Modified: 2021-02-17 02:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
Clone Of:
Last Closed: 2017-08-01 08:47:18 UTC

Attachments (Terms of Use)
Proposed patch (2.99 KB, patch)
2017-04-21 13:03 UTC, Tomas Mraz
no flags Details | Diff
Patch for RHEL-7.4 (2.97 KB, patch)
2017-04-25 11:00 UTC, Tomas Mraz
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2285 0 normal SHIPPED_LIVE Moderate: authconfig security, bug fix, and enhancement update 2017-08-01 11:26:21 UTC

Description Adam Mariš 2017-04-12 10:25:24 UTC
If SSSD is used for authentication against remote server, information whether given username is present on the system or not is leaked. On console login, there is no password prompt for invalid usernames and in case of SSHD there is noticeable difference in delay when giving valid and invalid username.

Affected configuration:

authconfig --enablesssdauth --update

Possible workaround (with side-effects):

authconfig --enablesysnetauth --update

Comment 1 Adam Mariš 2017-04-12 10:25:29 UTC

Name: Tomas Mraz (Red Hat), Thorsten Scherf (Red Hat)

Comment 2 Tomas Mraz 2017-04-12 11:33:31 UTC
The question is whether fixing authconfig to produce non-vulnerable configuration is sufficient. Unfortunately there is no clear safe way to automatically fix the vulnerable configuration if present on the system.

At best we would have to require the system administrator to run authconfig --update as running authconfig automatically can break existing customer modifications of PAM configuration.

Comment 7 Tomas Mraz 2017-04-21 13:03:05 UTC
Created attachment 1273319 [details]
Proposed patch

The patch fixes the configuration so pam_unix is skipped only for known non-local users which are not system users.

Comment 8 Tomas Mraz 2017-04-21 13:03:42 UTC
The patch is for upstream master but can be trivially backported to RHEL 7.4

Comment 9 Pavel Březina 2017-04-24 08:29:51 UTC
Patch looks good to me.

Comment 12 Tomas Mraz 2017-04-25 11:00:30 UTC
Created attachment 1273876 [details]
Patch for RHEL-7.4

Untested patch for RHEL-7.4.

Comment 13 Pavel Březina 2017-05-04 11:45:28 UTC
Can I include the fix in 7.4?

Comment 14 Tomas Mraz 2017-05-04 11:57:46 UTC
I think you can include it, it won't go out before the embargo is lifted.

Comment 15 Cedric Buissart 2017-05-04 14:15:46 UTC
Yes, all good

Comment 16 Pavel Březina 2017-05-05 12:03:26 UTC
There a typo in this patch:
 60 +           if name == "succceed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE:
 61 +               args = args.replace("quiet_success", "quiet")


Comment 17 Pavel Březina 2017-05-05 12:29:40 UTC
I fixed the typo and pushed to 7.4

Comment 19 Cedric Buissart 2017-05-09 08:50:09 UTC
Created authconfig tracking bugs for this issue:

Affects: fedora-all [bug 1449106]

Comment 20 Cedric Buissart 2017-05-09 08:51:01 UTC

Possible workaround (with side-effects):
authconfig --enablesysnetauth --update

Comment 23 errata-xmlrpc 2017-08-01 07:28:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2285 https://access.redhat.com/errata/RHSA-2017:2285

Note You need to log in before you can comment on or make changes to this bug.