BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2023-005: su(1) bypass via pam_ksu(8)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		 NetBSD Security Advisory 2023-005
		 =================================

Topic:		su(1) bypass via pam_ksu(8)

Version:	NetBSD-current:		affected prior to 2023-06-20
		NetBSD 10.0_BETA:	affected prior to 2023-06-21
		NetBSD 9.3:		affected
		NetBSD 9.2:		affected
		NetBSD 9.1:		affected
		NetBSD 9.0:		affected
		NetBSD 8.2:		affected
		NetBSD 8.1:		affected
		NetBSD 8.0:		affected

Severity:	Local privilege escalation

Fixed:		NetBSD-current:		2023-06-20
		NetBSD-10 branch:	2023-06-21
		NetBSD-9 branch:	2023-06-21
		NetBSD-8 branch:	2023-06-21

Please note that NetBSD releases prior to 8.2 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

An unprivileged user can bypass su(1) security checks by exploiting a
flaw in the PAM module pam_ksu(8), which is supposed to authenticate
the user by checking their Kerberos password.


Technical Details
=================

On a system configured to use Kerberos, pam_ksu(8) is supposed to
authenticate an unprivileged user calling su(1) by prompting for the
user's Kerberos password, obtaining Kerberos tickets from the Kerberos
realm's KDC with the user's password, and verifying the user's tickets
with a secret keytab.

On a system not configured to use Kerberos, pam_ksu(8) is supposed to
fail harmlessly when it sees that /etc/krb5.conf does not exist.

However, the update to Heimdal 7.1 inadvertently lost a set-user-id
context check that pam_ksu(8) relied on to sanitize its context, and so
it would consult ~/.krb5/config for Kerberos configuration, whether or
not /etc/krb5.conf exists, in spite of being in a dangerous set-user-id
context.

This allows the user calling su(1) to completely control pam_ksu's
logic, by specifying a default realm, a KDC for the realm, and the
location of the keytab that pam_ksu(8) is to consult for a secret key
shared with the KDC that it uses to verify the user's tickets.  By
simply running a KDC, possibly even on the same host on a nonstandard
port number, the user calling su(1) can convince pam_ksu(8) to succeed.


Solutions and Workarounds
=========================

Workaround:  Disable pam_ksu(8) in /etc/pam.d/su by adding a single `#'
character at the start of the line where pam_ksu appears, in order to
comment it out.

To apply a fixed version from a releng build, fetch a fitting base.tgz
or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries:

cd /var/tmp
ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tar.xz
cd /
tar xzpf /var/tmp/base.tar.xz ./usr/lib/security/pam_ksu.so.4

with the following replacements:
REL   = the release version you are using
BUILD = the source date of the build. 20230621* and later will fit
ARCH  = your system's architecture


The following instructions describe how to upgrade your pam_ksu(8)
binaries by updating your source tree and rebuilding and
installing a new version of pam_ksu(8).

* NetBSD-current:

	Systems running NetBSD-current dated from before 2023-06-21
	should be upgraded to NetBSD-current dated 2023-06-22 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libpam/modules/pam_ksu/pam_ksu.c

	To update from CVS, re-build, and re-install pam_ksu:
		# cd src
		# cvs update -d -P lib/libpam/modules/pam_ksu/pam_ksu.c
		# cd lib/libpam/modules/pam_ksu
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 10.*:

	Systems running NetBSD 10.* sources dated from before
	2023-06-21 should be upgraded from NetBSD 9.* sources dated
	2023-06-22 or later.

	The following files/directories need to be updated from the
	netbsd-10 branch:
		lib/libpam/modules/pam_ksu/pam_ksu.c

	To update from CVS, re-build, and re-install pam_ksu:

		# cd src
		# cvs update -r netbsd-10 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c
		# cd lib/libpam/modules/pam_ksu
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 9.*:

	Systems running NetBSD 9.* sources dated from before 2023-06-21
	should be upgraded from NetBSD 9.* sources dated 2023-06-22 or
	later.

	The following files/directories need to be updated from the
	netbsd-9 branch:
		lib/libpam/modules/pam_ksu/pam_ksu.c

	To update from CVS, re-build, and re-install pam_ksu:

		# cd src
		# cvs update -r netbsd-9 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c
		# cd lib/libpam/modules/pam_ksu
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 8.*:

	Systems running NetBSD 8.* sources dated from before 2023-06-21
	should be upgraded from NetBSD 8.* sources dated 2023-06-22 or
	later.

	The following files/directories need to be updated from the
	netbsd-8 branch:
		lib/libpam/modules/pam_ksu/pam_ksu.c

	To update from CVS, re-build, and re-install Heimdal:

		# cd src
		# cvs update -r netbsd-8 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c
		# cd lib/libpam/modules/pam_ksu
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Nico Williams, for pointing out the bug fix in Heimdal.


Revision History
================

	2023-06-28	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

	https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc

Information about NetBSD and NetBSD security can be found at

	https://www.NetBSD.org/
	https://www.NetBSD.org/Security/

Copyright 2023, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2023-005.txt,v 1.1 2023/06/28 15:33:37 christos Exp $
-----BEGIN PGP SIGNATURE-----

iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUtIcHHNlY3VyaXR5
LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/09OD/9WQfTwgktG+SDvfkwb
hJwG9KefbPC/rkRR4KeTCcFdm+MFqoVX+VrQ04Q+N8zrjmHsuaZuE7tyQF7nGLRL
rQMLV0OsBOEP2y20gFzEjdS9GbI1vFkM8sSaSlHgfO5HFyUyS/4tdir7zBt2BfTA
1+isdqoDazuVtWiKvxdEVnC69eraICFzOcTJHBDeWx6iX7uzIb4EX1KB+r4D6EGX
4XB8caIYm+2pLGGOWvRE8jTnICSZI4AplZFAsfB9OpflAR3VoTi3Snf/bgJK/ygt
TPKVC1ZNkG+4dk07aDHYwf1v0F3blZfZ0jA+epn6YcSS3H/9CLU646Dg2sBmogb0
cA9eYgNtYel3Zn/1M/BtdRyY1qPmGQ7zCe92gwoPmub4x/WOr4qWb8aWGVkUjsn4
3BiV3JmKbW0eM7fzX3OW10t4mviGmi6pfu+5U4IICrjbVr0JbqdKiKywU42X7HCP
MVRpt9zXIGByBP5NWpisqBLR6B7VjxsPpVPEn02/K/rjodQymMFJj87gkLaCQ4VB
j0u9F8LDTQtJ6nhafsFcNZ7qdIKNbkYG3upFjA6fHXkUiRr/moLi3S6yPHh/fcvC
nQQ7MbldzSXcJRDRKoRLw//kbeFam/05Kas2Ya2yo0fFKtbaNcPCCFrNJMGGjgao
/zN9bnszyolNA7KKBPQoMFuOag==
=g7kZ
-----END PGP SIGNATURE-----