EGI SVG Advisories

Advisory-SVG-2013-5168

** WHITE information - Unlimited distribution allowed                       **
** see https://go.egi.eu/tlp for distribution restrictions **


EGI SVG ADVISORY [EGI-SVG-2013-5138]

Title:   EGI SVG Advisory 'Moderate' RISK  Globus GSI-OpenSSH vulnerability
         [EGI-SVG-2013-5168]

Date:    2013-10-25
Updated: <date  yyyy-mm-dd>

URL:     https://advisories.egi.eu/2013/Advisory-SVG-2013-5168

Introduction
============

A vulnerability was found in GSI-OpenSSH and fixed by the globus team.

This is now available in the version of GSI-OpenSSH in EGI UMD 2, in release
2.7.0

This software not included in UMD 3 so this advisory is not relevant to sides
running software from UMD-3

Details
=======

Details are as below in the original Globus advisory appended.


Risk category
=============

This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment
Team


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).

Sites using the EGI UMD 2 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-2/

Sites who wish to install directly from the EMI 2 release should see:

http://www.eu-emi.eu/emi-2-matterhorn/updates/


Recommendations
===============

Sites are recommended to update relevant components in due course.


Globus Original Advisory
========================

GSI-OpenSSH Security Advisory: pamuserchange-2013-01.adv

URL: http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv

Original issue date: March 12 2013
Last revised: None

Software affected:
  GSI-OpenSSH (versions 4.7-5.5)
  GSI patch for OpenSSH (versions 20090831-20120903)

1. Overview

GSI-OpenSSH is a modified version of OpenSSH that adds support for RFC 3820
proxy certificate authentication and delegation. GSI-OpenSSH is provided by
NCSA and is not associated with the OpenSSH project.
GSI-OpenSSH is provided as both a standalone package and as a patch to OpenSSH.

The PermitPAMUserChange feature added to GSI-OpenSSH in August 2009 [1] based
on an earlier OpenSSH patch [2] contains a memory management bug that may allow
an authenticated user to log in to an unauthorized account. The
PermitPAMUserChange feature is disabled by default and must be explicitly
enabled by the system administrator.  It is used primarily with MEG (MyProxy
Enabled GSISSHD) [3].

The PermitPAMUserChange feature allows users to log in to a system using a
username that need not correspond to a local system account, provided that PAM
accepts the username, authenticates the user, and then maps the user to an
existing local system account via PAM_USER.
The memory management bug can cause the authenticated user to be mapped to an
account different than PAM_USER.

2. Affected Configurations

Default configurations of GSI-OpenSSH are not affected.

The bug can be triggered only if sshd_config contains "PermitPAMUserChange yes"
and /etc/pam.d/sshd (or equivalent) is configured with a PAM module that
modifies PAM_USER.

3. Mitigation

Removing "PermitPAMUserChange yes" from sshd_config (if it was previously added
by the system administrator) will disable the affected functionality.

4. Fix

GSI-OpenSSH 5.6 contains a fix for this bug.

Alternatively system administrators may apply the following patch to the
GSI-OpenSSH source code:

diff -Naur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c  2010-08-10 14:36:30.000000000 +0000
+++ new/auth-pam.c  2013-03-12 19:10:29.000000000 +0000
@@ -312,7 +312,7 @@
            fatal("PAM: could not get passwd entry for user "
                "'%.100s' provided by PAM_USER", user);
        pwfree(sshpam_authctxt->pw);
-       sshpam_authctxt->pw = pw;
+       sshpam_authctxt->pw = pwcopy(pw);
        sshpam_authctxt->valid = allowed_user(pw);
        debug("PAM: user '%.100s' now %svalid", user,
            sshpam_authctxt->valid ? "" : "in");

5. Credit

This issue was reported by Venkatesh Yekkirala.

6. References

[1] https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6839
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1215
[3] http://wiki.ngs.ac.uk/index.php?title=MEG


Timeline
========

Yyyy-mm-dd

2013-03-12 Advisory draft discussed on Globus Security Committee
2013-04-02 Advisory made public by Globus
2013-04-05 Risk assessed as 'Moderate' for EGI.
2013-04-05 Noted a vulnerable version in UMD
2013-04-05 This was reported to IGE people and UMD people
2013-10-23 Updated packages available in the EGI UMD-2
2013-10-25 Sites informed and Public disclosure of this advisory