Bugzilla – Bug 707645
VUL-1: CVE-2011-3172: pam: unix2_chkpwd do not check for a valid account
Last modified: 2020-04-27 15:36:37 UTC
unix2_chkpwd do not call pam_acct_mgmt which means that it does not verify if the users account is valid. pam_acct_mgmt checks for authentication token and account expiration and verifies access restrictions.
Additionally unix2_chkpwd should only call sleep(5) if authentication failed.
Created attachment 441720 [details] proposed fixed version of unix2_chkpwd
Ludwig: please review.
How to test: Create a disable user: $> useradd -m userdisabled $> passwd userdisabled New Password: system Enter new password again: system $> chage -d 2011-05-01 -M 30 userdisabled $> chage -l userdisabled Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: May 01, 2011 Password Expires: May 31, 2011 Password Inactive: Never Account Expires: Never Verify the bug, by calling: $> echo -n "system" | /sbin/unix2_chkpwd smtp userdisabled && echo "success" || echo "failed" The answer is "success" which is wrong After installing the update, repeat the command. The answer should be "failed". In /var/log/messages you can see an error like: unix2_chkpwd[11483]: pam_acct_mgmt(smtp, userdisabled): Authentication token is no longer valid; new one required
looks good but I wonder if it won't break screensavers. What happens e.g. if the password expires while I'm logged in with locked screen (e.g over the weekend or holidays)? Normally a pam app would call pam_chauthtok() but unix2_chkpwd can't. So you may need to ignore PAM_NEW_AUTHTOK_REQD even that's not allowed normally.
good question. Let's see what Thorsten think.
(In reply to comment #5) > looks good but I wonder if it won't break screensavers. What happens e.g. if > the password expires while I'm logged in with locked screen (e.g over the > weekend or holidays)? The same as of today if the sysadmins disables your account: you cannot unlock the screensaver anymore and you have to go to your sysadmin.
So it seems everybody agreed on this patch. Ludwig: is there still an update for pam-modules in the queue?
nope
Maintenance: I would like to have a swampid for this issue.
CVE-2011-3172
This is an autogenerated message for OBS integration: This bug (707645) was mentioned in https://build.opensuse.org/request/show/80346 Factory / pam-modules
No answer, so let's forget about this.
SUSE-SU-2018:1760-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 707645 CVE References: CVE-2011-3172 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): pam-modules-11-1.27.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): pam-modules-11-1.27.3.1
Done