Ubuntu
xen-api package

[SECURITY] default PAM settings allow any local account to authenticate to xapi

Bug #1031375 reported by Mike McClurg
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xen-api (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
High
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

Xapi's default PAM settings allow any local user to authenticate and issue remote API commands. I have attached a debdiff which resolves this issue. Below is a diff which describes the changes we'll make to the xapi PAM config file.

--- /etc/pam.d/xapi
+++ /etc/pam.d/xapi
@@ -1,4 +1,5 @@
 #%PAM-1.0
-auth include common-auth
-account include common-auth
-password include common-auth
+
+auth sufficient pam_succeed_if.so user ingroup root
+#Uncomment to allow group 'xapi' to authenticate. You must create this group manually!
+#auth sufficient pam_succeed_if.so user ingroup xapi

This update will soon be pushed into Debian Wheezy. Please apply this update to the xen-api package in Precise.

Revision history for this message
Mike McClurg (mike-mcclurg) wrote :
Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

Hi,

Please note that this has been fixed in SID. So for Ubuntu 12.10, I would recommend to sync from SID, which by the way, has many other fixes. I would also recommend taking the latest version from SID for Ubuntu 12.04, but if that's not the policy, then a backport of the fix can be done.

Thomas

Marc Deslauriers (mdeslaur)
security vulnerability: yes → no
visibility: private → public
Changed in xen-api (Ubuntu Quantal):
status: New → Fix Committed
status: Fix Committed → Fix Released
Changed in xen-api (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Mike - Thanks for the debdiff!

There were a few corrections that I made to the changelog:

- The update wasn't targeted for the precise-security pocket
- It didn't reference this bug
- The new version was incorrect
- It didn't follow the security update style

Please see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for more details and watch for the changelog that gets posted in this bug when the updated package is released.

Additionally, I added some simple patch tags to the patch. Patch tag descriptions can be found at http://dep.debian.net/deps/dep3/

I made these changes myself so that we could get this security update out, but please do review those links for any future security debdiffs you provide. Thanks again for your contribution!

Revision history for this message
Mike McClurg (mike-mcclurg) wrote : Re: [Bug 1031375] Re: [SECURITY] default PAM settings allow any local account to authenticate to xapi

On Fri, Aug 3, 2012 at 9:02 PM, Tyler Hicks <email address hidden> wrote:
> Hi Mike - Thanks for the debdiff!
>
> There were a few corrections that I made to the changelog:
>
> - The update wasn't targeted for the precise-security pocket
> - It didn't reference this bug
> - The new version was incorrect
> - It didn't follow the security update style
>
> Please see
> https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for
> more details and watch for the changelog that gets posted in this bug
> when the updated package is released.
>
> Additionally, I added some simple patch tags to the patch. Patch tag
> descriptions can be found at http://dep.debian.net/deps/dep3/
>
> I made these changes myself so that we could get this security update
> out, but please do review those links for any future security debdiffs
> you provide. Thanks again for your contribution!

Thanks for that, Tyler! I'll read up on the procedures before I send
in any more debdiffs!

Mike

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xen-api - 1.3.2-5ubuntu0.1

---------------
xen-api (1.3.2-5ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: PAM settings allowed any local user to issue remote API
    commands (LP: #1031375)
    - debian/patches/pam-auth-root-xapi-group: Xapi only authenticates the
      root user when making API calls over HTTP. Based on Debian patch.
 -- Mike McClurg <email address hidden> Thu, 26 Jul 2012 15:30:25 +0100

Changed in xen-api (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.