Bug 459217 (CVE-2008-4313) - CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
Summary: CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4313
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 471370 471371
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-15 02:52 UTC by Tim Potter
Modified: 2019-09-29 12:26 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-09 09:05:15 UTC
Embargoed:

Attachments (Terms of Use)
fixed local-or-remote-patch (15.42 KB, patch)
2008-10-13 15:06 UTC, Vitezslav Crhonek 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:1001 0 normal SHIPPED_LIVE Important: tog-pegasus security update 2008-11-25 09:05:32 UTC

Description Tim Potter 2008-08-15 02:52:59 UTC 
Description of problem:

While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases.  It's always set to the service name, "wbem".  I believe this completely bypasses the security settings in /etc/Pegasus/access.conf.

To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root.  By default this should not work, but it does.  If you change the access.conf file from:

-: ALL EXCEPT pegasus:wbemNetwork

to:

-: ALL EXCEPT pegasus:wbem

and retry accessing PG_ComputerSystem, the request fails as it is supposed to.

Looking at the differences between the local-or-remote-auth patch in 
tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused.

Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2008-08-15 08:53:01 UTC 
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch.

As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.
Comment 3 Vitezslav Crhonek 2008-10-13 15:06:41 UTC 
Created attachment 320192 [details]
fixed local-or-remote-patch

Proposed patch (NOT tested yet!)

Not very nice, but it's only provisional solution till this functionality will be part of upstream.
Comment 5 Jan Lieskovsky 2008-11-13 10:37:12 UTC 
This issue affects all versions of the tog-pegasus package, as shipped
with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10.

This issue does NOT affect the versions of the tog-pegasus package,
as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.
Comment 9 Fedora Update System 2008-11-14 17:32:14 UTC 
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.1-3.fc10
Comment 10 Fedora Update System 2008-11-14 18:25:56 UTC 
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.0-7.fc9
Comment 13 Red Hat Product Security 2009-01-09 09:05:15 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-1001.html

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10061
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9688
Note You need to log in before you can comment on or make changes to this bug.