Bug 870168 (CVE-2014-2830) - VUL-1: CVE-2014-2830: cifs-utils: pam module pam_cifscreds stack overflow
Summary: VUL-1: CVE-2014-2830: cifs-utils: pam module pam_cifscreds stack overflow
Status: RESOLVED FIXED
: 1016762 (view as bug list)
Alias: CVE-2014-2830
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Aurelien Aptel
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2014-2830:10.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-25 13:50 UTC by Marcus Meissner
Modified: 2020-05-12 17:41 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
overflow fix (829 bytes, patch)
2014-04-08 11:27 UTC, Sebastian Krahmer 		Details | Diff
better patch (1.17 KB, patch)
2014-04-08 12:46 UTC, Sebastian Krahmer 		Details | Diff
backported fix for v5.1 based versions (SLE11-SP3, SLE11-SP4) (1.36 KB, patch)
2017-01-23 16:08 UTC, Aurelien Aptel 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-25 13:50:47 UTC 
pam_cifscreds - PAM module to manage NTLM credentials in kernel keyring

was added to SLE12 as a new subpackage of "cifs-utils".

quote manpage:
       The pam_cifscreds PAM module is a tool for automatically adding
       credentials (username and password) for the purpose of establishing
       sessions in multiuser mounts.

       When a cifs filesystem is mounted with the "multiuser" option, and does
       not use krb5 authentication, it needs to be able to get the credentials
       for each user from somewhere. The pam_cifscreds module can be used to
       provide these credentials to the kernel automatically at login.

       In the session section of the PAM configuration file, the module can
       either an NT domain name or a list of hostname or addresses.


           +++ auth       optional     pam_cifscreds.so
           +++ session    optional     pam_cifscreds.so domain=DOMAIN
Comment 2 Sebastian Krahmer 2014-04-08 11:27:16 UTC 
Created attachment 585445 [details]
overflow fix

.
Comment 3 Sebastian Krahmer 2014-04-08 11:28:53 UTC 
Fixing buffer overflow in cifskey, maybe also used in samba itself?
Comment 4 Sebastian Krahmer 2014-04-08 12:46:36 UTC 
Created attachment 585460 [details]
better patch

.
Comment 5 SMASH SMASH 2014-06-30 13:30:15 UTC 
Affected packages:

SLE-11-SP3: cifs-utils
Comment 7 Marcus Meissner 2014-09-05 09:34:06 UTC 
ping? any update?
Comment 8 Johannes Segitz 2015-03-24 10:36:42 UTC 
For SLE 12 this is fixed. SLE 11 SP3 still has a problem in create_description but a different patch is necessary. Still keeping this as VUL-1
Comment 9 Andreas Stieger 2015-11-03 09:47:26 UTC 
Move bug to incident component
Comment 14 Aurelien Aptel 2017-01-23 16:06:36 UTC 
cifs-utils had started including pam_cifscreds since v6.3. SLE-11-SP* packages are all based on v5.1.

There *is* a variation of the vulnerable code in v5.1 but I'm almost completely sure its *not* exposed to user input because the code is only written for and used by the cifscreds program which is not part of the package (not enabled in the configure script step I assume) in both 11SP3 and 11SP4.

Nevertheless I've backported the fix to 5.1, if we ever enabled cifscreds.

Fix is available on my home repo on IBS at:

https://build.suse.de/package/show/home:aaptel:bsc870168-cifs-utils/cifs-utils

I'm also including the backported patch as attachment, if anyone prefers that.
Comment 15 Aurelien Aptel 2017-01-23 16:08:00 UTC 
Created attachment 711270 [details]
backported fix for v5.1 based versions (SLE11-SP3, SLE11-SP4)
Comment 16 Thomas Abraham 2017-01-26 21:43:13 UTC 
(In reply to Aurelien Aptel from comment #15)
> Created attachment 711270 [details]
> backported fix for v5.1 based versions (SLE11-SP3, SLE11-SP4)

Is it ok to provide PTFs with this fix?
Comment 17 Aurelien Aptel 2017-01-31 10:06:00 UTC 
Yes.
Comment 18 Aurelien Aptel 2017-03-20 12:18:46 UTC 
Sent a maintenance request (id 129584), sorry for the delay.
Comment 20 Aurelien Aptel 2017-03-21 11:32:54 UTC 
closing.
Comment 21 Aurelien Aptel 2017-03-22 14:53:50 UTC 
*** Bug 1016762 has been marked as a duplicate of this bug. ***