Bug 243204 (CVE-2007-3102) - CVE-2007-3102 audit logging of failed logins
Summary: CVE-2007-3102 audit logging of failed logins
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-3102
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-07 20:53 UTC by Steve Grubb
Modified: 2019-09-29 12:20 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0555
Clone Of:
Environment:
Last Closed: 2007-11-07 15:40:38 UTC
Embargoed:

Attachments (Terms of Use)
Patch addressing the issues listed above (1.91 KB, patch)
2007-06-08 19:02 UTC, Steve Grubb 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0555 0 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2007-11-07 16:22:23 UTC

Description Steve Grubb 2007-06-07 20:53:50 UTC 
Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim

causes:

type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)'


Version-Release number of selected component (if applicable):
all recent versions

Additional info:
Fixing this requires a small patch to pam to use a different audit logging function.
Comment 4 Steve Grubb 2007-06-08 19:02:30 UTC 
Created attachment 156601 [details]
Patch addressing the issues listed above

This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)
Comment 6 Tomas Mraz 2007-06-14 10:11:02 UTC 
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
audit-libs errata.
Comment 7 Steve Grubb 2007-06-14 12:12:21 UTC 
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.
Comment 8 Tomas Mraz 2007-06-14 13:10:12 UTC 
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.
Comment 9 Mark J. Cox 2007-06-15 13:19:13 UTC 
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102
Comment 10 Tomas Mraz 2007-06-22 21:18:32 UTC 
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.
Comment 14 Mark J. Cox 2007-11-07 14:14:43 UTC 
opening bug, removing embargo
Comment 15 errata-xmlrpc 2007-11-07 15:40:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html
Note You need to log in before you can comment on or make changes to this bug.