Bug 243204 - (CVE-2007-3102) CVE-2007-3102 audit logging of failed logins
CVE-2007-3102 audit logging of failed logins
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-06-07 16:53 EDT by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0555
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 10:40:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch addressing the issues listed above (1.91 KB, patch)
2007-06-08 15:02 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2007-06-07 16:53:50 EDT
Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=" victim


type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host= : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=, terminal=ssh res=failed)'

Version-Release number of selected component (if applicable):
all recent versions

Additional info:
Fixing this requires a small patch to pam to use a different audit logging function.
Comment 4 Steve Grubb 2007-06-08 15:02:30 EDT
Created attachment 156601 [details]
Patch addressing the issues listed above

This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)
Comment 6 Tomas Mraz 2007-06-14 06:11:02 EDT
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
audit-libs errata.
Comment 7 Steve Grubb 2007-06-14 08:12:21 EDT
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.
Comment 8 Tomas Mraz 2007-06-14 09:10:12 EDT
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.
Comment 9 Mark J. Cox 2007-06-15 09:19:13 EDT
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102
Comment 10 Tomas Mraz 2007-06-22 17:18:32 EDT
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.
Comment 14 Mark J. Cox 2007-11-07 09:14:43 EST
opening bug, removing embargo
Comment 15 errata-xmlrpc 2007-11-07 10:40:38 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.