Date: Mon, 30 Mar 2015 17:00:21 +0200 From: Sebastian Krahmer <krahmer@...e.de> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVS-Request: realmd code execution/auth bypass On Wed, Mar 25, 2015 at 04:36:52PM -0400, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Upstream has opened two bugs for issues in realmd > > This initial response has a CVE ID only for the second one. > > > could lead to remote attackers logging into the local system > > by placing an evil AD server in the LAN > > https://bugs.freedesktop.org/show_bug.cgi?id=89205 > > Is upstream planning to announce this as a vulnerability fix? Although > the old behavior was unsafe if there was any possibility of an > untrusted device on the LAN, it appears that the old behavior had been > intentional. For example, the old behavior may have been chosen as a > security/convenience tradeoff. This example might be applicable: > > https://fedoraproject.org/wiki/QA:Testcase_realmd_join_automatic > Are CVE's only assigned if upstream is issuing fixes? The bug entry reads like that there is something that needs fixing: Attackers can pose as a legit realm (with the same name) so the admin is tricked to join to a rogue AD, allowing an attacker to log into the machine. The admin has no chance to know that he joined an evil AD which has hijacked his legit realm-name. Even when its intentional that the join is automatic for convenience, it should "somehow" be ensured that the legit AD servers are used. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ