Bug 1197654 - VUL-0: CVE-2022-28321: pam: access denial bypass in pam_access.so
VUL-0: CVE-2022-28321: pam: access denial bypass in pam_access.so
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Josef Möllers
Security Team bot
:
Depends on:
Blocks: 1197021
  Show dependency treegraph
 
Reported: 2022-03-29 15:07 UTC by Thomas Leroy
Modified: 2022-05-13 06:08 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-29 15:07:08 UTC
+++ This bug was initially created as a clone of Bug #1197021 +++

From: Thorsten Kukuk

when trying to push upstream an old patch from Josef Moellers for pam_access.so,
I run into a severe issue:

pam contains a patch pam-hostnames-in-access_conf.patch for bsc#1019866

In short:
"-:root:ALL EXCEPT localhost" does not work beside it is documented as
valid entry.

I tested the patch by using an openSUSE Tumbleweed VM, created test user "test0"
and used the following line in /etc/security/access.conf:

"-:test0:ALL EXCEPT 127.0.0.1"

I tried to login (ssh -l test0 <IP of VM> from the virtualisation host:
1. tested with our patch: I could login!
2. tested without our patch: the attemp got correctly blocked

It looks like the patch has a problem if you login from an IP address
which is not resolveable via DNS. You can login even if not permitted.

I only tested the patch we have in Tumbleweed. Since the patch got
modified 2020 by Josef, I have no idea if the problem is new or if it
exists already in the old patch. Which also had already a security
problem: bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953

The problem seems to be the getaddrinfo (string, ...) around line 800, this
must be most likely getaddrinfo (tok, ...). With this change, this case
works for me. But I cannot do a full validation of all variants.

======

a fixed patch (which also fixes two memory leaks) can be found here:

https://github.com/linux-pam/linux-pam/pull/447

With this version it looks like as if you cannot login anymore if your
IP is blocked.
Comment 11 Thomas Leroy 2022-03-30 09:10:08 UTC
Great, thanks guys!

I notice that SUSE:SLE-15:Update shipped the buggy patch without the fixing use-correct-IP-address.patch in revision 1. R2 fixed this 3 years ago.

SUSE:SLE-12:Update and SUSE:SLE-11-SP2:Update have never got the buggy patch.

To sum-up, openSUSE:Factory got the fix 2 weeks ago, Leap and SLE15 were vulnerable between r1 and r2 3 years ago. So we're fine
Comment 12 Thomas Leroy 2022-05-06 09:18:22 UTC
Still waiting for a CVE to be assigned. Closing anyway since everything is fixed.
Comment 13 Thomas Leroy 2022-05-13 06:08:51 UTC
CVE-2022-28321 was assigned.