Bug 976849 (CVE-2016-2167)

Summary: VUL-1: CVE-2016-2167: subversion: svnserve/sasl may authenticate users using the wrong realm
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: jsegitz, tchvatal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2016-2167:3.6:(AV:N/AC:H/Au:S/C:P/I:P/A:N) CVSSv2:NVD:CVE-2016-2167:4.9:(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2016-04-22 13:12:09 UTC
Created attachment 674226 [details]
CVE-2016-2167-1.9.3.patch

EMBARGOED
CRD: 2016-04-28

  svnserve/sasl may authenticate users using the wrong realm

Summary:
========

  svnserve, the svn:// protocol server, can optionally use the Cyrus
  SASL library for authentication, integrity protection, and encryption.
  Due to a programming oversight, authentication against Cyrus SASL
  would permit the remote user to specify a realm string which is
  a prefix of the expected realm string.

Known vulnerable:
=================

  Subversion 1.9.0 to 1.9.3
  Subversion 1.5.0 to 1.8.15

  Only repositories served by svnserve using SASL are affected.  For
  a repository to be affected, both of the following must be true:

  1. The output of `svnserve --version` includes the line "Cyrus SASL
     authentication is available".

  2. The svnserve.conf file includes "use-sasl = true" in the "[sasl]"
     section.

Known fixed:
============

  Subversion 1.9.4
  Subversion 1.8.16

  mod_dav_svn (any version) is not affected.

  svnserve compiled without SASL support is not affected, regardless
  of the contents of svnserve.conf files.

  If the svnserve.conf file specifies 'use-sasl = false', or does not
  specify 'use-sasl' at all, then the repository or svnserve instance
  using that svnserve.conf file is not affected.

Details:
========

  The Cyrus SASL authentication library provides a callback for
  applications to "canonicalize" the username and realm provided by the
  remote end.  svnserve uses that callback to enforce that either the
  remote end specified no realm, or it specified the repository's realm
  (as declared in the svnserve.conf file).

  Due to a programming oversight, if the remote end specified a realm
  string which is a prefix of the expected realm string, the
  remote-specified realm string would be used in the canonicalized
  value.  Consequently, a user who has valid credentials to a realm,
  whose name is a prefix of the repository's realm, would be able to
  successfully authenticate to the repository.

  Such a user would still be subject to path-based authorization, if
  enabled via the 'authz-db' or 'auth-access' svnserve.conf directives.

  In theory, the erroneous realm comparison would also allow a remote
  user to specify a realm string followed by an ASCII NUL byte and
  possibly by more bytes thereafter.  In practice, however, control flow
  on such inputs does not reach the vulnerable code.

  Examples:

  1. The user "jrandom" in the realm "foo" can successfully authenticate
     to a repository whose realm is "foobar".

Severity:
=========

  CVSSv2 Base Score: 3.6
  CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N

  Since this vulnerability presupposes rare circumstances --- namely,
  having a valid realm name which is a string prefix of the repository's
  realm name --- few deployments will be affected.

  For affected deployments, however, this is a medium-risk
  information disclosure and modification vulnerability.  The extent of
  the information that may be accessed and modified by attackers depends
  on the path-based authorization configuration in use (via the
  'authz-db' and 'auth-access' svnserve.conf directives).

Recommendations:
================

  Affected servers should be upgraded to Subversion 1.8.16 or 1.9.4.

  Workarounds include:

  - Use path-based authorization to deny access to usernames from other
    realms, so they would be able to authenticate but then would have
    authorization to nothing.

  - Change realm names such that no valid realm name is a prefix of the
    repository's realm name.

References:
===========

  CVE-2016-2167 (Subversion)

Reported by:
============

  Daniel Shahaf, Apache Infrastructure
  James McCoy, Debian
Comment 2 Swamp Workflow Management 2016-04-22 22:00:35 UTC
bugbot adjusting priority
Comment 7 Swamp Workflow Management 2016-05-06 11:13:48 UTC
SUSE-SU-2016:1249-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 911620,969159,976849,976850
CVE References: CVE-2016-2167,CVE-2016-2168
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    subversion-1.8.10-21.1
SUSE Linux Enterprise Software Development Kit 12 (src):    subversion-1.8.10-21.1
Comment 8 Swamp Workflow Management 2016-05-07 13:08:27 UTC
openSUSE-SU-2016:1263-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 911620,969159,976849,976850
CVE References: CVE-2016-2167,CVE-2016-2168
Sources used:
openSUSE Leap 42.1 (src):    subversion-1.8.10-9.1
Comment 9 Swamp Workflow Management 2016-05-07 13:08:50 UTC
openSUSE-SU-2016:1264-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 976849,976850,977424
CVE References: CVE-2016-2167,CVE-2016-2168
Sources used:
openSUSE 13.2 (src):    subversion-1.8.16-2.26.1
Comment 10 Swamp Workflow Management 2016-06-07 15:08:33 UTC
SUSE-SU-2016:1511-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 939517,976849,976850
CVE References: CVE-2015-3187,CVE-2016-2167,CVE-2016-2168
Sources used:
SUSE Studio Onsite 1.3 (src):    subversion-1.6.17-1.35.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    subversion-1.6.17-1.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    subversion-1.6.17-1.35.1
Comment 11 Andreas Stieger 2017-08-10 15:10:06 UTC
fixed
Comment 12 Swamp Workflow Management 2017-08-17 10:13:13 UTC
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938
CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    subversion-1.8.19-25.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    subversion-1.8.19-25.3.1