Bug 243204 - (CVE-2007-3102) CVE-2007-3102 audit logging of failed logins
CVE-2007-3102 audit logging of failed logins
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-07 16:53 EDT by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0555
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 10:40:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch addressing the issues listed above (1.91 KB, patch)
2007-06-08 15:02 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Steve Grubb 2007-06-07 16:53:50 EDT
Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim

causes:

type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)'


Version-Release number of selected component (if applicable):
all recent versions

Additional info:
Fixing this requires a small patch to pam to use a different audit logging function.
Comment 4 Steve Grubb 2007-06-08 15:02:30 EDT
Created attachment 156601 [details]
Patch addressing the issues listed above

This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)
Comment 6 Tomas Mraz 2007-06-14 06:11:02 EDT
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
audit-libs errata.
Comment 7 Steve Grubb 2007-06-14 08:12:21 EDT
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.
Comment 8 Tomas Mraz 2007-06-14 09:10:12 EDT
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.
Comment 9 Mark J. Cox (Product Security) 2007-06-15 09:19:13 EDT
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102
Comment 10 Tomas Mraz 2007-06-22 17:18:32 EDT
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.
Comment 14 Mark J. Cox (Product Security) 2007-11-07 09:14:43 EST
opening bug, removing embargo
Comment 15 errata-xmlrpc 2007-11-07 10:40:38 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html

Note You need to log in before you can comment on or make changes to this bug.