Bugzilla – Bug 972436
VUL-0: CVE-2016-3176: salt: Insecure configuration of PAM external authentication service
Last modified: 2017-10-25 19:58:48 UTC
https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM external authentication is enabled. This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service. This update defines the PAM eAuth service that users authenticate against in the Salt Master configuration.
bugbot adjusting priority
Based on the description the fix is probably https://github.com/saltstack/salt/pull/31826, although somewhat irritatingly, the git logs don't seem to reference this CVE number.
OK, doc/topics/releases/2015.5.10.rst says that the only fix in 2015.5.10 is for CVE-2016-3176, so I diff'd v2015.5.9 and v2015.5.10 and got this: # git diff v2015.5.9 v2015.5.10 diff --git a/salt/auth/pam.py b/salt/auth/pam.py index f166118..13ffe40 100644 --- a/salt/auth/pam.py +++ b/salt/auth/pam.py @@ -12,6 +12,13 @@ a user against the Pluggable Authentication Modules (PAM) on the system. Implemented using ctypes, so no compilation is necessary. +There is one extra configuration option for pam. The `pam_service` that is +authenticated against. This defaults to `login` + +.. code-block:: yaml + + auth.pam.service: login + .. note:: PAM authentication will not work for the ``root`` user. The Python interface to PAM does not support authenticating as ``root``. @@ -126,7 +133,7 @@ def __virtual__(): return HAS_PAM -def authenticate(username, password, service='login'): +def authenticate(username, password): ''' Returns True if the given username and password authenticate for the given service. Returns False otherwise @@ -134,10 +141,9 @@ def authenticate(username, password, service='login'): ``username``: the username to authenticate ``password``: the password in plain text - - ``service``: the PAM service to authenticate against. - Defaults to 'login' ''' + service = __opts__.get('auth.pam.service', 'login') + @CONV_FUNC def my_conv(n_messages, messages, p_response, app_data): ''' @@ -173,7 +179,7 @@ def auth(username, password, **kwargs): ''' Authenticate via pam ''' - return authenticate(username, password, kwargs.get('service', 'login')) + return authenticate(username, password) def groups(username, *args, **kwargs): That's the same diff as in the PR I mentioned in comment 2, which tells me I'm not missing anything else, so that's the patch I'll submit. There was some slight fuzz applying this to salt 2014.1 (the oldest application of this patch upstream was 2014.7), but nothing significant/problematic. (I figured recording WTF I'm doing is probably a good idea when fixing a CVE)
Submitted: https://build.suse.de/request/show/107904 https://build.suse.de/request/show/107908 https://build.suse.de/request/show/107912 Question on procedure - can I mark this resolved now? Or do CVEs need further review?
(In reply to Tim Serong from comment #4) Once you're done with security incidents please assign the bug to the security-team
Reassigning per comment 5
SUSE-SU-2016:0970-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 972436 CVE References: CVE-2016-3176 Sources used: SUSE Enterprise Storage 2 (src): salt-2014.1.10-3.1
SUSE-SU-2016:0972-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 972436 CVE References: CVE-2016-3176 Sources used: SUSE Enterprise Storage 2.1 (src): salt-2014.1.10-5.1
SUSE-SU-2016:1343-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 972436 CVE References: CVE-2016-3176 Sources used: SUSE Enterprise Storage 1.0 (src): salt-2014.1.10-5.6
released