CVE-2009-2410
First published: Mon Jul 27 2009(Updated: )
Description of problem: If a user is added to the SSSD BE database, but no password is set. The user can ssh to the SSSD configured client and enter any password and get in. TESTED CONFIGURATION system-auth configuration: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok auth sufficient pam_sss.so use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_sss.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok use_authtok password sufficient pam_sss.so use_first_pass password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_unix.so session required pam_sss.so sssd configuration: [services] description = Local Service Configuration activeServices = nss, pam reconnection_retries = 3 [services/nss] description = NSS Responder Configuration filterGroups = root filterUsers = root debug-level = 4 [services/dp] description = Data Provider Configuration debug-level = 4 [services/pam] description = PAM Responder Configuration [services/monitor] description = Service Monitor Configuration [domains] description = Domains served by SSSD domains = LOCAL [domains/LOCAL] description = LOCAL Users domain enumerate = 1 minId = 1000 maxId = 1010 legacy = FALSE magicPrivateGroups = TRUE provider = local Version-Release number of selected component (if applicable): sssd-0.4.1-1.fc11.i586 How reproducible: always Steps to Reproduce: 1. yum install sssd 2. edit system-auth (as above) and nsswitch.conf as required 3. modify /etc/sssd/sssd.conf as above 4. service start sssd 5. sss_useradd -u 1000 -h /home/myuser -b /bin/bash myuser 6. from a remote machine ssh to the sssd client machine sssh myuser 7. at password prompt enter anything you would like Actual results: ssh session is successful and user allowed machine access Expected results: password to be denied, user not allowed machine access Additional info: If you subsequently set the user password on the sssd client machine (passwd myuser) a bad password denies access and the correct password allows access.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedorahosted Sssd | =0.4.1 | |
| redhat/0.4.1 | <3. | 3. |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01236.html
- http://www.securityfocus.com/bid/35868
- https://bugzilla.redhat.com/attachment.cgi?id=355424
- http://secunia.com/advisories/36018
- https://bugzilla.redhat.com/show_bug.cgi?id=514057
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52210
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355410
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355410&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355424&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=355424&action=edit
- http://koji.fedoraproject.org/koji/buildinfo?buildID=124518
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-2410
- agent/software-canonical-lookup
- vendor/fedorahosted
- canonical/fedorahosted sssd
- version/fedorahosted sssd/0.4.1
- package-manager/redhat