Bug 459217 - (CVE-2008-4313) CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated u...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20081112,public=20080814,sou...
: Security
Depends On: 471370 471371
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-14 22:52 EDT by Tim Potter
Modified: 2010-10-22 23:46 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 04:05:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fixed local-or-remote-patch (15.42 KB, patch)
2008-10-13 11:06 EDT, Vitezslav Crhonek
no flags Details | Diff

  None (edit)
Description Tim Potter 2008-08-14 22:52:59 EDT
Description of problem:

While investigating bug 459057 I noticed that the tog-pegasus RPM based on Pegasus 2.7.0 no longer sets the PAM tty name to "wbemLocal" or "wbemRemote" as in previous releases.  It's always set to the service name, "wbem".  I believe this completely bypasses the security settings in /etc/Pegasus/access.conf.

To test, install the 2.7.0 RPM and enumerate the PG_ComputerSystem instance as root.  By default this should not work, but it does.  If you change the access.conf file from:

-: ALL EXCEPT pegasus:wbemNetwork

to:

-: ALL EXCEPT pegasus:wbem

and retry accessing PG_ComputerSystem, the request fails as it is supposed to.

Looking at the differences between the local-or-remote-auth patch in 
tog-pegasus-2.6.1-2.el5.src.rpm vs tog-pegasus-2.7.0-2.el5.src.rpm, it appears that both patches pass whether the connection is remote further down through various Pegasus classes, but the 2.7.0 patch looks like it's missing a whole chunk of code in Security/Authentication/PAMBasicAuthenticatorUnix.cpp where the isRemoteUser parameter is unused.

Tested on ia64 system upgraded from rhel5.0 to rhel5.2 and freshly installed rhel5.2 on x86_64.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2008-08-15 04:53:01 EDT
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch.

As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it.
Comment 3 Vitezslav Crhonek 2008-10-13 11:06:41 EDT
Created attachment 320192 [details]
fixed local-or-remote-patch

Proposed patch (NOT tested yet!)

Not very nice, but it's only provisional solution till this functionality will be part of upstream.
Comment 5 Jan Lieskovsky 2008-11-13 05:37:12 EST
This issue affects all versions of the tog-pegasus package, as shipped
with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10.

This issue does NOT affect the versions of the tog-pegasus package,
as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8.
Comment 9 Fedora Update System 2008-11-14 12:32:14 EST
tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.1-3.fc10
Comment 10 Fedora Update System 2008-11-14 13:25:56 EST
tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tog-pegasus-2.7.0-7.fc9

Note You need to log in before you can comment on or make changes to this bug.