Bug 661163 - (CVE-2010-4341) CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins
CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20110111,reported=20101206,sou...
: Security
Depends On: 668888 688248 688250
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-07 18:37 EST by Vincent Danen
Modified: 2015-08-19 05:01 EDT (History)
8 users (show)

See Also:
Fixed In Version: sssd 1.5.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 10:15:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch for RHEL5 and RHEL6 (11.44 KB, patch)
2010-12-17 15:39 EST, Stephen Gallagher
no flags Details | Diff
Patch for Fedora 13 (11.44 KB, patch)
2010-12-17 15:40 EST, Stephen Gallagher
no flags Details | Diff
Patch for Fedora 14 (11.44 KB, patch)
2010-12-17 15:40 EST, Stephen Gallagher
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-12-07 18:37:44 EST
Sebastian Krahmer discovered that it was possible to make sssd hang forever inside a loop in the pam_parse_in_data_v2() function of SSSD's PAM responder by using a carefully crafted packet to sssd.  This could be exploited by a local attacker to crash sssd and prevent other legitimate users from logging into the system.

Acknowledgements:

Red Hat would like to thank Sebastian Krahmer for reporting this issue.
Comment 7 Stephen Gallagher 2010-12-17 15:39:26 EST
Created attachment 469438 [details]
Patch for RHEL5 and RHEL6

This patch applies to the SSSD 1.2.x branch and will resolve the issue on RHEL 5 and RHEL 6.
Comment 8 Stephen Gallagher 2010-12-17 15:40:12 EST
Created attachment 469439 [details]
Patch for Fedora 13

This patch applies to the SSSD 1.3 branch and will resolve the issue on Fedora 13.
Comment 9 Stephen Gallagher 2010-12-17 15:40:56 EST
Created attachment 469440 [details]
Patch for Fedora 14

This patch applies to the SSSD 1.4.x branch and will resolve the issue on Fedora 14.
Comment 10 Vincent Danen 2010-12-17 16:12:15 EST
Thanks for the patches.  I'm going to pass these on to other vendors and coordinate an unembargo date.
Comment 18 Vincent Danen 2011-01-11 17:38:38 EST
Created sssd tracking bugs for this issue

Affects: fedora-all [bug 668888]
Comment 19 Vincent Danen 2011-01-11 17:40:41 EST
Statement:

(none)
Comment 25 Kaushik Banerjee 2011-04-12 08:15:46 EDT
Verified with Sumit's reproducer script.
The script hangs on running on RHEL 6.0 32-bit (sssd-1.2.1-28) and sssd_pam consumes 100% cpu.

The script works fine on running on RHEL 6.1 32 bit (sssd-1.5.1-25).

Verified on version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 25.el6                        Build Date: Fri 08 Apr 2011 10:53:37 PM IST
Install Date: Tue 12 Apr 2011 11:01:14 AM IST      Build Host: x86-002.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-25.el6.src.rpm
Size        : 3582701                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 26 errata-xmlrpc 2011-05-19 07:40:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0560 https://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 27 errata-xmlrpc 2011-05-19 09:09:01 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0560 https://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 28 Vincent Danen 2011-07-07 11:02:03 EDT
This was corrected in upstream sssd version 1.5.1:

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.1
Comment 29 Stephen Gallagher 2011-07-07 11:29:49 EDT
Why was this BZ reopened?
Comment 30 Vincent Danen 2011-07-07 12:40:03 EDT
It was never closed, and it is still unresolved in Red Hat Enterprise Linux 5.  SRT bugs shouldn't be in VERIFIED state, so I just flipped the state back to NEW where it is supposed to be.
Comment 31 errata-xmlrpc 2011-07-21 04:09:08 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0975 https://rhn.redhat.com/errata/RHSA-2011-0975.html
Comment 32 errata-xmlrpc 2011-07-21 07:45:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0975 https://rhn.redhat.com/errata/RHSA-2011-0975.html

Note You need to log in before you can comment on or make changes to this bug.