Bug 243204 (CVE-2007-3102) - CVE-2007-3102 audit logging of failed logins
Summary: CVE-2007-3102 audit logging of failed logins
Alias: CVE-2007-3102
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-07 20:53 UTC by Steve Grubb
Modified: 2019-09-29 12:20 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0555
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-11-07 15:40:38 UTC

Attachments (Terms of Use)
Patch addressing the issues listed above (1.91 KB, patch)
2007-06-08 19:02 UTC, Steve Grubb
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0555 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2007-11-07 16:22:23 UTC

Description Steve Grubb 2007-06-07 20:53:50 UTC
Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=" victim


type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host= : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=, terminal=ssh res=failed)'

Version-Release number of selected component (if applicable):
all recent versions

Additional info:
Fixing this requires a small patch to pam to use a different audit logging function.

Comment 4 Steve Grubb 2007-06-08 19:02:30 UTC
Created attachment 156601 [details]
Patch addressing the issues listed above

This is a patch that I am testing. It would require changing the spec file to
ask for audit-libs >= 1.5.4 since that will be the version of the audit library
that fixes the escaping for acct argument. (It should compile fine with current
audit library, though.)

Comment 6 Tomas Mraz 2007-06-14 10:11:02 UTC
I don't think we should explicitely require audit-libs >= 1.5.4 as that is
required just for the vulnerability to be fixed but that can be stated in the
audit-libs errata.

Comment 7 Steve Grubb 2007-06-14 12:12:21 UTC
To solve the problem, we have to do 1 of 2 things. We either need to fix pam to
escape acct itself theyby fixing the vulnerability. Or we need to change pam to
use a different function & require the new audit-libs that has acct escaped so
we avoid duplicating code. Not doing either does not fix the problem.

Comment 8 Tomas Mraz 2007-06-14 13:10:12 UTC
I know that and I can make a note in the errata text, that you need to update
audit-libs as well. But I don't think that explicitely requiring
audit-libs>=1.5.4 in spec is necessary.

Comment 9 Mark J. Cox 2007-06-15 13:19:13 UTC
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102

Comment 10 Tomas Mraz 2007-06-22 21:18:32 UTC
Because it was problematic to change from using audit_log_user_message() we've
decided to implement the escaping directly in the pam package so the audit
library change is not necessary anymore.

Comment 14 Mark J. Cox 2007-11-07 14:14:43 UTC
opening bug, removing embargo

Comment 15 errata-xmlrpc 2007-11-07 15:40:38 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.