248059 – CVE-2007-3102 audit logging of failed logins

Bug 248059 - CVE-2007-3102 audit logging of failed logins

Summary: CVE-2007-3102 audit logging of failed logins

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-12 21:03 UTC by Tomas Mraz
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHSA-2007-0540
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-07 15:32:46 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0540	0	normal	SHIPPED_LIVE	Moderate: openssh security and bug fix update	2007-11-07 16:19:19 UTC

Description Tomas Mraz 2007-07-12 21:03:30 UTC

+++ This bug was initially created as a clone of Bug #247797 +++

Description of problem:
The logging of failed logins can be used to inject bad information into audit
logs. Example:

ssh -l "fakeuser auid=1234 tty=pty1 host=127.0.0.1" victim

causes:

type=USER_AUTH msg=audit(06/07/2007 11:04:14.429:101) : user pid=8151 uid=root
auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=fakeuser auid=unknown(1234) tty=pty1 host=127.0.0.1 : exe=/usr/sbin/sshd
(hostname=discovery.redhat.com, addr=192.168.1.171, terminal=ssh res=failed)'


Version-Release number of selected component (if applicable):
all recent versions

-- Additional comment from sgrubb on 2007-06-08 15:10 EST --
ssh -l "fakeuser auid=1234 terminal=pty1 hostname=127.0.0.1" victim

Is a better test case. Using it, you can subvert ausearch and aureport when they
search or report on tty or hostname. This is important in that some people could
construct protective measures based on the audit log information and wind up
suspecting the wrong host. Its easy to image this become a DoS vector. And it
would possibly make people lose confidence in audit system.


-- Additional comment from mjc on 2007-06-15 09:19 EST --
This issue has security implications as a third party may rely on parsing the
audit logs (like a IDS/IPS system) and this false information may be able to
fool it. allocated CVE-2007-3102

The openssh package also creates USER_LOGIN audit records which have the same
log injection problem. The user name must be escaped in these audit records as well.

Comment 1 Steve Grubb 2007-07-12 21:09:29 UTC

This should be fixed as it can mislead the audit system and any analytical tools
reading the events.

Comment 7 Mark J. Cox 2007-11-07 14:19:21 UTC

removing embargo

Comment 8 errata-xmlrpc 2007-11-07 15:32:46 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0540.html

Note You need to log in before you can comment on or make changes to this bug.