|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2005-3042: webmin remote code execution through PAM | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Ihno Krumreich <ihno> |
| Status: | VERIFIED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | mls, patch-request, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | CVE-2005-3042: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Gibt es da eine CAN-Nummer? SwampID 2564 CAN-2005-3042 fix for 9.0 is misisng? Kommt. Submitted packages and patchinfos for 9.0 and 9.1 reassign to sec-team and leave it open for tracking. Is 9.0-x86_64 not affected? It is missing from the patchinfo file... same goes for 9.1-x86-64 in the already checked in one. Ihno, you have to create box patchinfos with edit_patchinfo -b webmin you apparently filled out everything by hand... 9.1-x86_64 did not have webmin. But 9.0-x86_64. Ihno, please fix the patchinfo. updates released. thanks! Than close the bug! CVE-2005-3042: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
Hello Ihno, are we affected by this? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Webmin, Usermin: Remote code execution through PAM authentication Date: September 24, 2005 Bugs: #106705 ID: 200509-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== If Webmin or Usermin is configured to use full PAM conversations, it is vulnerable to the remote execution of arbitrary code with root privileges. Background ========== Webmin and Usermin are web-based system administration consoles. Webmin allows an administrator to easily configure servers and other features. Usermin allows users to configure their own accounts, execute commands, and read e-mails. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/webmin < 1.230 >= 1.230 2 app-admin/usermin < 1.160 >= 1.160 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Keigo Yamazaki discovered that the miniserv.pl webserver, used in both Webmin and Usermin, does not properly validate authentication credentials before sending them to the PAM (Pluggable Authentication Modules) authentication process. The default configuration shipped with Gentoo does not enable the "full PAM conversations" option and is therefore unaffected by this flaw. Impact ====== A remote attacker could bypass the authentication process and run any command as the root user on the target server. Workaround ========== Do not enable "full PAM conversations" in the Authentication options of Webmin and Usermin. Resolution ========== All Webmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/webmin-1.230 ... From: snsadv <snsadv@lac.co.jp> To: bugtraq@securityfocus.com Subject: [SNS Advisory No.83] Webmin/Usermin PAM Authentication Bypass Vulnerability Envelope-To: tom@electric-sheep.org ------------------------------------------------------------------ SNS Advisory No.83 Webmin/Usermin PAM Authentication Bypass Vulnerability Problem first discovered on: Sun, 04 Sep 2005 Published on: Tue, 20 Sep 2005 ------------------------------------------------------------------ Severity Level: --------------- High Overview: --------- A vulnerability that could result in a session ID spoofing exists in miniserv.pl, which is a webserver program that gets both Webmin and Usermin to run. Problem Description: -------------------- Webmin is a web-based system administration tool for Unix. Usermin is a web interface that allows all users on a Unix system to easily receive mails and to perform SSH and mail forwarding configuration. Miniserv.pl is a webserver program that both Webmin and Usermin to run. Miniserv.pl carries out named pipe communication between the parent and the child process during the creation and Confirmation of effectiveness of a session ID (session used for access control via the Web). Miniserv.pl does not check whether metacharacters, such as line feed or carriage return, are included with user supplied strings during the PAM(Pluggable Authentication Modules) authentication process. Exploitation therefore, could make it possible for attackers to bypass authentication and execute arbitrary command as root. Tested Versions: ---------------- Webmin Version : 1.220 Usermin Version : 1.150 Solution: --------- This problem can be eliminated by upgrading to Webmin version 1.230 and to Usermin version 1.160, which are available at: http://www.webmin.com/ Discovered by: -------------- Keigo Yamazaki (LAC) Thanks to: ---------- This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC. http://jvn.jp/jp/JVN%2340940493/index.html http://www.ipa.go.jp/security/vuln/documents/2005/JVN_40940493_webmin.html Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/83_e.html