Bug 1200566 – VUL-0: CVE-2022-22967: salt: missing check for PAM_ACCT_MGM return value

Bug 1200566 - (CVE-2022-22967) VUL-0: CVE-2022-22967: salt: missing check for PAM_ACCT_MGM return value

(CVE-2022-22967)
Summary:	VUL-0: CVE-2022-22967: salt: missing check for PAM_ACCT_MGM return value

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/334646/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-22967:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-06-15 11:34 UTC by Thomas Leroy
Modified:	2023-03-01 10:20 UTC (History)
CC List:	9 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patches (40.00 KB, application/x-tar) 2022-06-15 11:34 UTC, Thomas Leroy	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Thomas Leroy 2022-06-15 13:12:44 UTC

From a SLE point of view, the following codestreams are affected:
- SUSE:SLE-11-SP3:Update:Manager3:Update
- SUSE:SLE-12:Update
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update
- SUSE:SLE-15:Update
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP3:Update	
- SUSE:SLE-15-SP4:Update

Comment 12 Robert Frohl 2022-06-22 13:48:50 UTC

public via [0]:

CVE Details CVE-2022-22967

    Description: PAM auth fails to reject locked accounts.
    Impact: A previously authorized user whose account is locked may still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.
    Solution: PAM account status is now correctly checked, rejecting locked accounts.


How to Mitigate:

    Upgrade to 3002.9, 3003.5, or 3004.2.
    Alternatively, remove locked accounts rather than rely on Salt’s PAM eauth functionality.
    Or, change to a different eauth module.
    Attribution: https://github.com/ysf
    Severity Rating: 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


[0] https://saltproject.io/security_announcements/salt-security-advisory-release-june-21st-2022/

Comment 13 Pablo Suárez Hernández 2022-06-22 15:34:31 UTC

Question for Security: can we start already with the submissions to OBS and Factory for this or should we wait until the submissions for SLE are finally released?

TIA.

Comment 14 Marcus Meissner 2022-06-22 15:37:30 UTC

you can start with submissions for obs and factory already.

Comment 15 Swamp Workflow Management 2022-06-22 16:16:49 UTC

SUSE-SU-2022:2154-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Manager Tools 12 (src):    salt-3000-65.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    salt-3000-65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 OBSbugzilla Bot 2022-06-23 08:40:09 UTC

This is an autogenerated message for OBS integration:
This bug (1200566) was mentioned in
https://build.opensuse.org/request/show/984677 Factory / salt

Comment 17 Swamp Workflow Management 2022-06-23 13:16:49 UTC

SUSE-SU-2022:2159-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    salt-3004-150100.71.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    salt-3004-150100.71.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    salt-3004-150100.71.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    salt-3004-150100.71.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    salt-3004-150100.71.1
SUSE Enterprise Storage 6 (src):    salt-3004-150100.71.1
SUSE CaaS Platform 4.0 (src):    salt-3004-150100.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2022-06-24 16:18:07 UTC

SUSE-SU-2022:2178-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    salt-3004-150300.53.24.1
SUSE Linux Enterprise Module for Transactional Server 15-SP3 (src):    salt-3004-150300.53.24.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    salt-3004-150300.53.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    salt-3004-150300.53.24.1
SUSE Linux Enterprise Micro 5.2 (src):    salt-3004-150300.53.24.1
SUSE Linux Enterprise Micro 5.1 (src):    salt-3004-150300.53.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2022-07-04 13:16:46 UTC

SUSE-SU-2022:2253-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    salt-3004-150000.8.41.40.1
SUSE Linux Enterprise Server 15-LTSS (src):    salt-3004-150000.8.41.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    salt-3004-150000.8.41.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    salt-3004-150000.8.41.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2022-07-06 13:18:53 UTC

SUSE-SU-2022:2278-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    salt-3004-150200.72.1
SUSE Manager Retail Branch Server 4.1 (src):    salt-3004-150200.72.1
SUSE Manager Proxy 4.1 (src):    salt-3004-150200.72.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    salt-3004-150200.72.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    salt-3004-150200.72.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    salt-3004-150200.72.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    salt-3004-150200.72.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    salt-3004-150200.72.1
SUSE Enterprise Storage 7 (src):    salt-3004-150200.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2022-07-06 16:30:00 UTC

SUSE-SU-2022:2304-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    salt-3004-150400.8.8.1
SUSE Linux Enterprise Module for Transactional Server 15-SP4 (src):    salt-3004-150400.8.8.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    salt-3004-150400.8.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    salt-3004-150400.8.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2022-09-01 15:14:12 UTC

SUSE-SU-2022:2178-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1200566
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    salt-3004-150300.53.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-09-08 10:25:05 UTC

SUSE-SU-2022:15036-1: An update that solves one vulnerability, contains one feature and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200163,1200566,1200591,1201003,1201082,1202259
CVE References: CVE-2022-22967
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2022-09-08 13:27:50 UTC

SUSE-SU-2022:15038-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2022-09-08 13:31:09 UTC

SUSE-SU-2022:3184-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2022-09-08 13:36:46 UTC

SUSE-SU-2022:3172-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Manager Tools 15 (src):    venv-salt-minion-3004-150000.3.11.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    venv-salt-minion-3004-150000.3.11.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    venv-salt-minion-3004-150000.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Swamp Workflow Management 2022-09-08 13:37:51 UTC

SUSE-SU-2022:15041-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 Swamp Workflow Management 2022-09-08 13:42:51 UTC

SUSE-SU-2022:3177-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:
SUSE Manager Tools 12 (src):    venv-salt-minion-3004-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 31 Swamp Workflow Management 2022-09-08 13:48:31 UTC

SUSE-SU-2022:15037-1: An update that solves one vulnerability, contains one feature and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200163,1200566,1200591,1201003,1201082,1202259
CVE References: CVE-2022-22967
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 32 Swamp Workflow Management 2022-09-08 13:49:48 UTC

SUSE-SU-2022:3170-1: An update that solves one vulnerability, contains one feature and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200163,1200566,1200591,1201003,1201082,1202259
CVE References: CVE-2022-22967
JIRA References: ECO-3319
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 33 Swamp Workflow Management 2022-09-08 14:08:41 UTC

SUSE-SU-2022:3180-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1195895,1197288,1198489,1198744,1199372,1200566,1201082
CVE References: CVE-2022-22967
JIRA References: 
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.