|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-3326: sssd,pam_krb5: PAM/Kerberos issue on NetBSD | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Cathy Hu <cathy.hu> |
| Component: | Incidents | Assignee: | Valentin Lefebvre <valentin.lefebvre> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | ismael.luceno, kukuk, samba-maintainers, scabrero, security-team, valentin.lefebvre |
| Version: | unspecified | Flags: | scabrero:
needinfo?
(valentin.lefebvre) |
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/370074/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-3326:7.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Cathy Hu
2023-06-22 09:02:06 UTC
Apparently pam_krb5 and sssd-krb5 are also affected: https://seclists.org/oss-sec/2023/q2/254 Hello, From pam_krb5 man pages: " If that keytab cannot be read or if no keys are found in it, the default (potentially insecure) behavior is to skip this check. If you want to instead fail authentication if the obtained tickets cannot be checked, set verify_ap_req_nofail to true in the [libdefaults] section of /etc/krb5.conf. Note that this will affect applications other than this PAM module. " And as it was explained further in the thread mail, there isn't a safe option. If we want to be sure that the authentication fails by default in case of the keytab cannot be read, we probably should add the `verify_ap_req_nofail true` by default in /etc/krb5.conf. Add Need info to scabrero@suse.com(maintainer of krb5): Could we add this conf by default from krb5 package ? Add Need info to kukuk@suse.com: Have you already been faced to that security issue with pam modules from the past? (In reply to Valentin Lefebvre from comment #2) > If we want to be sure that the authentication fails by default in case of > the keytab cannot be read, we probably should add the `verify_ap_req_nofail > true` by default in /etc/krb5.conf. > > Add Need info to scabrero@suse.com(maintainer of krb5): Could we add this > conf by default from krb5 package? Changing the default was discussed in 2011 and dismissed because it could break deployments not using host keys. https://mailman.mit.edu/pipermail/krbdev/2011-January/009796.html Apart from that, IMO enabling it by default can lead to an invalid krb5.conf because it assumes that the user will setup host keys, create the keytab and make it readable for pam_krb5. Thanks Samuel for your feedback. Our pam-krb5 by default let the spoofing vulnerably in using the kerberos method krb5_verify_init_creds() leading by verify_ap_req_nofail option. FreeBSD, by the patch mentioned in this bug, does the opposite adding a new argument to the pam module "allow_kdc_spoof" to false by default to avoid the spoofing. I've asked the upstream of our pam module if the FreeBSD patch can be adapt to it. As the implementation of freeBSD/pam-krb5 and Linux/pam-krb5 is totally different, we cannot just apply their patch Jira ticket has been created in the way to change the Kerberos default config file. See https://jira.suse.com/browse/PED-5718. (In reply to Valentin Lefebvre from comment #8) > Jira ticket has been created in the way to change the Kerberos default > config file. See https://jira.suse.com/browse/PED-5718. Hi Valentin, the IBS request is approved, do you agree to close the bug? (In reply to Samuel Cabrero from comment #9) > (In reply to Valentin Lefebvre from comment #8) > > Jira ticket has been created in the way to change the Kerberos default > > config file. See https://jira.suse.com/browse/PED-5718. > > Hi Valentin, the IBS request is approved, do you agree to close the bug? Sure, thanks. I close the bug as resolved. |