Bug 916766 (CVE-2015-2704) - AUDIT-0: CVE-2015-2704: realmd: New DBUS service: realmd
Summary: AUDIT-0: CVE-2015-2704: realmd: New DBUS service: realmd
Status: RESOLVED FIXED
Alias: CVE-2015-2704
Product: SUSE Security Incidents
Classification: Novell Products
Component: Audits (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-08 07:17 UTC by Klaus Kämpf
Modified: 2016-03-17 18:15 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Sebastian Krahmer 2015-02-18 14:49:23 UTC 
There are issues in realmd that allows attackers to setup evil AD
servers that are automatically joined by realmd, allowing remote
compromise of the system:

https://bugs.freedesktop.org/show_bug.cgi?id=89205

Further, realmd does not sanitize some of the attributes it
fetched from a potentially untrusted LDAP server it discovered
via _ldap._tcp, leading to another compromise because of
injected \r characters which are interpreted as newline separator
by sssd and winbind:

https://bugs.freedesktop.org/show_bug.cgi?id=89207
Comment 3 Marcus Meissner 2015-03-26 06:03:43 UTC 
From Mitre:

> Upstream has opened two bugs for issues in realmd

This initial response has a CVE ID only for the second one.

> could lead to remote attackers logging into the local system
> by placing an evil AD server in the LAN
> https://bugs.freedesktop.org/show_bug.cgi?id=89205

Is upstream planning to announce this as a vulnerability fix? Although
the old behavior was unsafe if there was any possibility of an
untrusted device on the LAN, it appears that the old behavior had been
intentional. For example, the old behavior may have been chosen as a
security/convenience tradeoff. This example might be applicable:

  https://fedoraproject.org/wiki/QA:Testcase_realmd_join_automatic


> could lead to remote attackers logging into the local system by
> offering \r in LDAP responses that are treated by sssd and winbind as
> newline separator; therefore allowing to smuggle options into the
> config files used for startup

> https://bugs.freedesktop.org/show_bug.cgi?id=89207

> No data that was retrieved before join ... should be used when
> configuring sssd.conf and/or smb.conf.

Use CVE-2015-2704.
Comment 4 Swamp Workflow Management 2015-03-26 23:00:16 UTC 
bugbot adjusting priority
Comment 6 Sebastian Krahmer 2015-04-22 12:20:50 UTC 
realmd 0.16.0 was released, fixing the reported issues.
Using this version for checkin should be OK. I whitelisted the DBUS
service. Once its built in the rpmlint, everything should work.
Comment 7 Bernhard Wiedemann 2015-05-19 12:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (916766) was mentioned in
https://build.opensuse.org/request/show/307957 Factory / rpmlint
Comment 8 Bernhard Wiedemann 2015-06-30 05:00:46 UTC 
This is an autogenerated message for OBS integration:
This bug (916766) was mentioned in
https://build.opensuse.org/request/show/314449 42 / rpmlint
Comment 9 Bernhard Wiedemann 2015-06-30 09:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (916766) was mentioned in
https://build.opensuse.org/request/show/314479 42 / rpmlint
Comment 11 Swamp Workflow Management 2016-03-17 18:15:43 UTC 
SUSE-RU-2016:0808-1: An update that has 9 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 897788,904060,907625,907662,915769,916766,918799,928492,941993
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    rpmlint-1.5-26.3.2