661163 – (CVE-2010-4341) CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins

Bug 661163 (CVE-2010-4341) - CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins

Summary: CVE-2010-4341 sssd: DoS in sssd PAM responder can prevent logins

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-4341
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	668888 688248 688250
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-07 23:37 UTC by Vincent Danen
Modified:	2023-05-11 16:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd 1.5.1
Clone Of:
Environment:
Last Closed:	2011-07-21 14:15:05 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for RHEL5 and RHEL6 (11.44 KB, patch) 2010-12-17 20:39 UTC, Stephen Gallagher	no flags	Details \| Diff
Patch for Fedora 13 (11.44 KB, patch) 2010-12-17 20:40 UTC, Stephen Gallagher	no flags	Details \| Diff
Patch for Fedora 14 (11.44 KB, patch) 2010-12-17 20:40 UTC, Stephen Gallagher	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0560	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-05-19 11:38:17 UTC
Red Hat Product Errata	RHSA-2011:0975	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-07-21 08:09:03 UTC

Description Vincent Danen 2010-12-07 23:37:44 UTC

Sebastian Krahmer discovered that it was possible to make sssd hang forever inside a loop in the pam_parse_in_data_v2() function of SSSD's PAM responder by using a carefully crafted packet to sssd.  This could be exploited by a local attacker to crash sssd and prevent other legitimate users from logging into the system.

Acknowledgements:

Red Hat would like to thank Sebastian Krahmer for reporting this issue.

Comment 7 Stephen Gallagher 2010-12-17 20:39:26 UTC

Created attachment 469438 [details]
Patch for RHEL5 and RHEL6

This patch applies to the SSSD 1.2.x branch and will resolve the issue on RHEL 5 and RHEL 6.

Comment 8 Stephen Gallagher 2010-12-17 20:40:12 UTC

Created attachment 469439 [details]
Patch for Fedora 13

This patch applies to the SSSD 1.3 branch and will resolve the issue on Fedora 13.

Comment 9 Stephen Gallagher 2010-12-17 20:40:56 UTC

Created attachment 469440 [details]
Patch for Fedora 14

This patch applies to the SSSD 1.4.x branch and will resolve the issue on Fedora 14.

Comment 10 Vincent Danen 2010-12-17 21:12:15 UTC

Thanks for the patches.  I'm going to pass these on to other vendors and coordinate an unembargo date.

Comment 18 Vincent Danen 2011-01-11 22:38:38 UTC

Created sssd tracking bugs for this issue

Affects: fedora-all [bug 668888]

Comment 19 Vincent Danen 2011-01-11 22:40:41 UTC

Statement:

(none)

Comment 25 Kaushik Banerjee 2011-04-12 12:15:46 UTC

Verified with Sumit's reproducer script.
The script hangs on running on RHEL 6.0 32-bit (sssd-1.2.1-28) and sssd_pam consumes 100% cpu.

The script works fine on running on RHEL 6.1 32 bit (sssd-1.5.1-25).

Verified on version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 25.el6                        Build Date: Fri 08 Apr 2011 10:53:37 PM IST
Install Date: Tue 12 Apr 2011 11:01:14 AM IST      Build Host: x86-002.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-25.el6.src.rpm
Size        : 3582701                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 26 errata-xmlrpc 2011-05-19 11:40:55 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0560 https://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 27 errata-xmlrpc 2011-05-19 13:09:01 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0560 https://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 28 Vincent Danen 2011-07-07 15:02:03 UTC

This was corrected in upstream sssd version 1.5.1:

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.1

Comment 29 Stephen Gallagher 2011-07-07 15:29:49 UTC

Why was this BZ reopened?

Comment 30 Vincent Danen 2011-07-07 16:40:03 UTC

It was never closed, and it is still unresolved in Red Hat Enterprise Linux 5.  SRT bugs shouldn't be in VERIFIED state, so I just flipped the state back to NEW where it is supposed to be.

Comment 31 errata-xmlrpc 2011-07-21 08:09:08 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0975 https://rhn.redhat.com/errata/RHSA-2011-0975.html

Comment 32 errata-xmlrpc 2011-07-21 11:45:55 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0975 https://rhn.redhat.com/errata/RHSA-2011-0975.html

Note You need to log in before you can comment on or make changes to this bug.