-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:10.pam Security Advisory The FreeBSD Project Topic: pam_start() does not validate service names Category: contrib Module: pam Announced: 2011-12-23 Credits: Matthias Drochner Affects: All supported versions of FreeBSD. Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules. III. Impact If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges. There are no vulnerable applications in the base system. IV. Workaround No workaround is available, but systems without untrusted users are not vulnerable. Inspect any third-party setuid / setgid binaries which use the PAM library and ascertain whether they allow the user to specify the policy name, then either change the binary's permissions to prevent its use or remove it altogether. The following command will output a non-zero number if a dynamically linked binary uses libpam: # ldd /usr/local/bin/suspicious_binary | grep -c libpam The following command will output a non-zero number if a statically linked binary uses libpam: # grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.8.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.6.1 RELENG_8 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.8.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.6.1 RELENG_9 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.10.1 RELENG_9_0 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.12.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228467 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228466 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228464 releng/9.0/ r228465 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb =9COS -----END PGP SIGNATURE-----