NetBSD Security Advisory 2023-005: su(1) bypass via pam_ksu(8)
29 June, 2023 by security-officer@netbsd.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2023-005 ================================= Topic: su(1) bypass via pam_ksu(8) Version: NetBSD-current: affected prior to 2023-06-20 NetBSD 10.0_BETA: affected prior to 2023-06-21 NetBSD 9.3: affected NetBSD 9.2: affected NetBSD 9.1: affected NetBSD 9.0: affected NetBSD 8.2: affected NetBSD 8.1: affected NetBSD 8.0: affected Severity: Local privilege escalation Fixed: NetBSD-current: 2023-06-20 NetBSD-10 branch: 2023-06-21 NetBSD-9 branch: 2023-06-21 NetBSD-8 branch: 2023-06-21 Please note that NetBSD releases prior to 8.2 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== An unprivileged user can bypass su(1) security checks by exploiting a flaw in the PAM module pam_ksu(8), which is supposed to authenticate the user by checking their Kerberos password. Technical Details ================= On a system configured to use Kerberos, pam_ksu(8) is supposed to authenticate an unprivileged user calling su(1) by prompting for the user's Kerberos password, obtaining Kerberos tickets from the Kerberos realm's KDC with the user's password, and verifying the user's tickets with a secret keytab. On a system not configured to use Kerberos, pam_ksu(8) is supposed to fail harmlessly when it sees that /etc/krb5.conf does not exist. However, the update to Heimdal 7.1 inadvertently lost a set-user-id context check that pam_ksu(8) relied on to sanitize its context, and so it would consult ~/.krb5/config for Kerberos configuration, whether or not /etc/krb5.conf exists, in spite of being in a dangerous set-user-id context. This allows the user calling su(1) to completely control pam_ksu's logic, by specifying a default realm, a KDC for the realm, and the location of the keytab that pam_ksu(8) is to consult for a secret key shared with the KDC that it uses to verify the user's tickets. By simply running a KDC, possibly even on the same host on a nonstandard port number, the user calling su(1) can convince pam_ksu(8) to succeed. Solutions and Workarounds ========================= Workaround: Disable pam_ksu(8) in /etc/pam.d/su by adding a single `#' character at the start of the line where pam_ksu appears, in order to comment it out. To apply a fixed version from a releng build, fetch a fitting base.tgz or base.tar.xz from nycdn.NetBSD.org and extract the fixed binaries: cd /var/tmp ftp https://nycdn.NetBSD.org/pub/NetBSD-daily/REL/BUILD/ARCH/binary/sets/base.tar.xz cd / tar xzpf /var/tmp/base.tar.xz ./usr/lib/security/pam_ksu.so.4 with the following replacements: REL = the release version you are using BUILD = the source date of the build. 20230621* and later will fit ARCH = your system's architecture The following instructions describe how to upgrade your pam_ksu(8) binaries by updating your source tree and rebuilding and installing a new version of pam_ksu(8). * NetBSD-current: Systems running NetBSD-current dated from before 2023-06-21 should be upgraded to NetBSD-current dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: # cd src # cvs update -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 10.*: Systems running NetBSD 10.* sources dated from before 2023-06-21 should be upgraded from NetBSD 9.* sources dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-10 branch: lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: # cd src # cvs update -r netbsd-10 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 9.*: Systems running NetBSD 9.* sources dated from before 2023-06-21 should be upgraded from NetBSD 9.* sources dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-9 branch: lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install pam_ksu: # cd src # cvs update -r netbsd-9 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 8.*: Systems running NetBSD 8.* sources dated from before 2023-06-21 should be upgraded from NetBSD 8.* sources dated 2023-06-22 or later. The following files/directories need to be updated from the netbsd-8 branch: lib/libpam/modules/pam_ksu/pam_ksu.c To update from CVS, re-build, and re-install Heimdal: # cd src # cvs update -r netbsd-8 -d -P lib/libpam/modules/pam_ksu/pam_ksu.c # cd lib/libpam/modules/pam_ksu # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Nico Williams, for pointing out the bug fix in Heimdal. Revision History ================ 2023-06-28 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at https://cdn.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2023-NNN.txt.asc Information about NetBSD and NetBSD security can be found at https://www.NetBSD.org/ https://www.NetBSD.org/Security/ Copyright 2023, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2023-005.txt,v 1.1 2023/06/28 15:33:37 christos Exp $ -----BEGIN PGP SIGNATURE----- iQJQBAEBCAA6FiEEJxEzJivzXLUNT1BGiSYeF/XvSf8FAmScUtIcHHNlY3VyaXR5 LW9mZmljZXJAbmV0YnNkLm9yZwAKCRCJJh4X9e9J/09OD/9WQfTwgktG+SDvfkwb hJwG9KefbPC/rkRR4KeTCcFdm+MFqoVX+VrQ04Q+N8zrjmHsuaZuE7tyQF7nGLRL rQMLV0OsBOEP2y20gFzEjdS9GbI1vFkM8sSaSlHgfO5HFyUyS/4tdir7zBt2BfTA 1+isdqoDazuVtWiKvxdEVnC69eraICFzOcTJHBDeWx6iX7uzIb4EX1KB+r4D6EGX 4XB8caIYm+2pLGGOWvRE8jTnICSZI4AplZFAsfB9OpflAR3VoTi3Snf/bgJK/ygt TPKVC1ZNkG+4dk07aDHYwf1v0F3blZfZ0jA+epn6YcSS3H/9CLU646Dg2sBmogb0 cA9eYgNtYel3Zn/1M/BtdRyY1qPmGQ7zCe92gwoPmub4x/WOr4qWb8aWGVkUjsn4 3BiV3JmKbW0eM7fzX3OW10t4mviGmi6pfu+5U4IICrjbVr0JbqdKiKywU42X7HCP MVRpt9zXIGByBP5NWpisqBLR6B7VjxsPpVPEn02/K/rjodQymMFJj87gkLaCQ4VB j0u9F8LDTQtJ6nhafsFcNZ7qdIKNbkYG3upFjA6fHXkUiRr/moLi3S6yPHh/fcvC nQQ7MbldzSXcJRDRKoRLw//kbeFam/05Kas2Ya2yo0fFKtbaNcPCCFrNJMGGjgao /zN9bnszyolNA7KKBPQoMFuOag== =g7kZ -----END PGP SIGNATURE-----