Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Mar 2015 17:00:21 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVS-Request: realmd code execution/auth bypass

On Wed, Mar 25, 2015 at 04:36:52PM -0400, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > Upstream has opened two bugs for issues in realmd
> 
> This initial response has a CVE ID only for the second one.
> 
> > could lead to remote attackers logging into the local system
> > by placing an evil AD server in the LAN
> > https://bugs.freedesktop.org/show_bug.cgi?id=89205
> 
> Is upstream planning to announce this as a vulnerability fix? Although
> the old behavior was unsafe if there was any possibility of an
> untrusted device on the LAN, it appears that the old behavior had been
> intentional. For example, the old behavior may have been chosen as a
> security/convenience tradeoff. This example might be applicable:
> 
>   https://fedoraproject.org/wiki/QA:Testcase_realmd_join_automatic
> 

Are CVE's only assigned if upstream is issuing fixes? The bug
entry reads like that there is something that needs fixing:

Attackers can pose as a legit realm (with the same name) so the admin is tricked to
join to a rogue AD, allowing an attacker to log into the machine.
The admin has no chance to know that he joined an evil AD which
has hijacked his legit realm-name.
Even when its intentional that the join is automatic for convenience,
it should "somehow" be ensured that the legit AD servers are used.

Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ