Red Hat Bugzilla – Bug 459217
CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
Last modified: 2010-10-22 23:46:41 EDT
Description of problem:
While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases. It's always set to the service name, "wbem". I believe this completely bypasses the security settings in /etc/Pegasus/access.conf.
To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root. By default this should not work, but it does. If you change the access.conf file from:
-: ALL EXCEPT pegasus:wbemNetwork
-: ALL EXCEPT pegasus:wbem
and retry accessing PG_ComputerSystem, the request fails as it is supposed to.
Looking at the differences between the local-or-remote-auth patch in
tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused.
Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch.
As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.
Created attachment 320192 [details]
Proposed patch (NOT tested yet!)
Not very nice, but it's only provisional solution till this functionality will be part of upstream.
This issue affects all versions of the tog-pegasus package, as shipped
with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10.
This issue does NOT affect the versions of the tog-pegasus package,
as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10.
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9.
This issue was addressed in:
Red Hat Enterprise Linux: