Bug 707645 - (CVE-2011-3172) VUL-1: CVE-2011-3172: pam: unix2_chkpwd do not check for a valid account
(CVE-2011-3172)
VUL-1: CVE-2011-3172: pam: unix2_chkpwd do not check for a valid account
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/72739/
CVSSv2:NVD:CVE-2011-3172:10.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-22 10:18 UTC by Michael Calmer
Modified: 2020-04-27 15:36 UTC (History)
5 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proposed fixed version of unix2_chkpwd (5.81 KB, text/plain)
2011-07-22 10:39 UTC, Michael Calmer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Calmer 2011-07-22 10:18:26 UTC
unix2_chkpwd do not call pam_acct_mgmt which means that it does not verify 
if the users account is valid.

pam_acct_mgmt checks for authentication token and account expiration and verifies
access restrictions.
Comment 1 Michael Calmer 2011-07-22 10:38:07 UTC
Additionally unix2_chkpwd should only call sleep(5) if authentication failed.
Comment 2 Michael Calmer 2011-07-22 10:39:16 UTC
Created attachment 441720 [details]
proposed fixed version of unix2_chkpwd
Comment 3 Michael Calmer 2011-07-22 10:58:32 UTC
Ludwig: please review.
Comment 4 Michael Calmer 2011-07-22 11:35:37 UTC
How to test:

Create a disable user:
$> useradd -m userdisabled
$> passwd userdisabled
New Password: system
Enter new password again: system
$> chage -d 2011-05-01 -M 30 userdisabled
$> chage -l userdisabled
Minimum:        0
Maximum:        30
Warning:        7
Inactive:       -1
Last Change:            May 01, 2011
Password Expires:       May 31, 2011
Password Inactive:      Never
Account Expires:        Never

Verify the bug, by calling:
$> echo -n "system" | /sbin/unix2_chkpwd smtp userdisabled && echo "success" || echo "failed"

The answer is "success" which is wrong

After installing the update, repeat the command. The answer should be "failed".
In /var/log/messages you can see an error like:
unix2_chkpwd[11483]: pam_acct_mgmt(smtp, userdisabled): Authentication token is no longer valid; new one required
Comment 5 Ludwig Nussel 2011-07-22 14:22:08 UTC
looks good but I wonder if it won't break screensavers. What happens e.g. if the password expires while I'm logged in with locked screen (e.g over the weekend or holidays)? Normally a pam app would call pam_chauthtok() but unix2_chkpwd can't. So you may need to ignore PAM_NEW_AUTHTOK_REQD even that's not allowed normally.
Comment 6 Michael Calmer 2011-07-27 15:25:27 UTC
good question. Let's see what Thorsten think.
Comment 8 Thorsten Kukuk 2011-08-01 07:10:42 UTC
(In reply to comment #5)
> looks good but I wonder if it won't break screensavers. What happens e.g. if
> the password expires while I'm logged in with locked screen (e.g over the
> weekend or holidays)?

The same as of today if the sysadmins disables your account: you cannot unlock the screensaver anymore and you have to go to your sysadmin.
Comment 9 Michael Calmer 2011-08-29 14:51:55 UTC
So it seems everybody agreed on this patch. 

Ludwig: is there still an update for pam-modules in the queue?
Comment 10 Ludwig Nussel 2011-08-29 15:03:52 UTC
nope
Comment 11 Michael Calmer 2011-08-29 15:36:56 UTC
Maintenance: I would like to have a swampid for this issue.
Comment 14 Ludwig Nussel 2011-08-31 08:35:34 UTC
CVE-2011-3172
Comment 15 Bernhard Wiedemann 2011-08-31 10:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (707645) was mentioned in
https://build.opensuse.org/request/show/80346 Factory / pam-modules
Comment 16 Michael Calmer 2014-10-15 07:14:06 UTC
No answer, so let's forget about this.
Comment 20 Swamp Workflow Management 2018-06-20 13:08:36 UTC
SUSE-SU-2018:1760-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 707645
CVE References: CVE-2011-3172
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    pam-modules-11-1.27.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    pam-modules-11-1.27.3.1
Comment 21 Alexandros Toptsoglou 2020-04-27 15:36:37 UTC
Done