Bug 48934 (CVE-2004-0041)

Summary: VUL-0: CVE-2004-0041: mod_auth_shadow: did not check expiration date
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0041: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Proposed patch, extracted from fixed Debian package and seperated from another patch

Description Thomas Biege 2004-01-13 17:38:27 UTC 
Hi Peter, 
Debian reported the following: 
- -------------------------------------------------------------------------- 
Debian Security Advisory DSA 421-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
January 12th, 2004                      http://www.debian.org/security/faq 
- -------------------------------------------------------------------------- 
 
Package        : mod-auth-shadow 
Vulnerability  : password expiration 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2004-0041 
 
David B Harris discovered a problem with mod-auth-shadow, an Apache 
module which authenticates users against the system shadow password 
database, where the expiration status of the user's account and 
password were not enforced.  This vulnerability would allow an 
otherwise authorized user to successfully authenticate, when the 
attempt should be rejected due to the expiration parameters. 
 
For the current stable distribution (woody) this problem has been 
fixed in version 1.3-3.1woody.1 
 
For the unstable distribution (sid) this problem has been fixed in 
version 1.4-1. 
 
We recommend that you update your mod-auth-shadow package. 
--- 
 
The advisory is not online yet. 
http://www.debian.org/security/2004/dsa-421
Comment 1 Thomas Biege 2004-01-13 17:38:27 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-01-13 17:39:05 UTC 
Maybe this could be fixed together with mod_gzip.
Comment 3 Peter Poeml 2004-01-13 18:35:48 UTC 
Yes, good idea.
Comment 4 Peter Poeml 2004-02-06 20:59:00 UTC 
Created attachment 15899 [details]
Proposed patch, extracted from fixed Debian package and seperated from another patch
Comment 5 Peter Poeml 2004-02-07 01:34:25 UTC 
Reproduced the problem with our package, 

  ==> /var/log/httpd/access_log <==
  10.0.8.6 - too_old [06/Feb/2004:18:28:59 +0100] "GET /auth_shadow/ HTTP/1.0" 200 243


and verified that the fix resolves it:

  ==> /var/log/httpd/access_log <==
  10.0.8.6 - too_old [06/Feb/2004:18:31:53 +0100] "GET /auth_shadow/ HTTP/1.0" 401 466
  
  ==> /var/log/httpd/error_log <==
  /usr/sbin/validate: User too_old: account expired
  [Fri Feb  6 18:31:53 2004] [error] (29)Illegal seek: access to /auth_shadow/ failed for 10.0.8.6, reason: Invalid password entered for user too_old
Comment 6 Peter Poeml 2004-02-10 18:48:22 UTC 
The fix is now applied and checked in in all our apache-contrib
packages.
Comment 7 Peter Poeml 2004-02-11 22:33:51 UTC 
Thomas, I reassign to you for further processing.
Comment 8 Thomas Biege 2004-02-23 22:25:40 UTC 
packages approved.
Comment 9 Thomas Biege 2004-02-23 22:26:24 UTC 
done.
Comment 10 Thomas Biege 2009-10-13 19:48:51 UTC 
CVE-2004-0041: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)