Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 555573 - (CVE-2010-0015) CVE-2010-0015 glibc NIS password hash disclosure
CVE-2010-0015 glibc NIS password hash disclosure
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
public=20091210,reported=20100107,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-14 14:53 EST by Josh Bressers
Modified: 2016-02-04 01:48 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-03 14:26:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Josh Bressers 2010-01-14 14:53:44 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0015 to the following vulnerability:

nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7
and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
passwd.adjunct.byname map to entries in the passwd map, which allows
remote attackers to obtain the encrypted passwords of NIS accounts by
calling the getpwnam function.

http://sourceware.org/bugzilla/show_bug.cgi?id=11134
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333
http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup
Comment 4 Josh Bressers 2010-06-29 15:48:52 EDT 
The upstream fix for this can be found here:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=71170aa0a956c59d8bad0cf6f5ed31d78c90e332
Comment 8 Tomas Hoger 2011-02-03 14:26:54 EST 
I had another look at this issue.  The problem that was reported was specific to the way passwd.adjunct.byname NIS map data was handled.  passwd.adjunct is password shadowing mechanism used by some SunOS / Solaris versions.  glibc NIS client, when seeing passwd map data of certain format (password field staring with "##"), tries to query NIS server for passwd.adjunct data too and make password hash part of passwd map data if available.  NIS server may refuse to provide that data to clients not connecting from privileged port if configured to do so (default ypserv.conf configuration in RHEL prevents access to passwd.adjunct and shadow maps by default, even though none of those maps are created by default).

The issue raised by the original reporter is the use of nscd may make passwd.adjunct data available to non-privileged users too.  This may happen when nscd is running as root, however, on RHEL, nscd is run under dedicated user account nscd.  Hence, unless nscd configuration is changed to use root user, it can not send queries from privileged port and will not get replies non-privileged user can not get via other means.

This does not affect shadow map data, which is not cached by nscd.

Given the limited benefit this fix adds on top of weak NIS security, there's no plan to backport this fix to Red Hat Enterprise Linux 4 and 5.  The glibc packages in Red Hat Enterprise Linux 6 already contain upstream patch, which allows configuring NSS, using ADJUNCT_AS_SHADOW directive, to use passwd.adjunct data to synthesize shadow map data rather than adding passwords to passwd map.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. We do not currently plan to address this flaw on Red Hat Enterprise Linux 4 and 5. This issue does not affect Red Hat Enterprise Linux 6.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.