Description of problem:
The logging of failed logins can be used to inject bad information into audit
ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim
type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)'
Version-Release number of selected component (if applicable):
all recent versions
Fixing this requires a small patch to pam to use a different audit logging function.
Created attachment 156601 [details]
Patch addressing the issues listed above
This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.
opening bug, removing embargo
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.