-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-003 Multiple Vulnerabilities in pam_pkcs11 ====================================== Overview - -------- Confirmed Affected Versions: 0.6.9 Confirmed Patched Versions: - Vendor: Unmaintained Vendor URL: https://github.com/OpenSC/pampkcs11 Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/ Summary and Impact - ------------------ It is possible to replay an authentication by using a specially prepared smartcard or token in case pam-pkcs11 is compiled with NSS support. Furthermore two minor implementation issues have been identified. X41 did not perform a full test or audit on the software. Product Description - ------------------- This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used. Authentication Replay ===================== Severity Rating: High Vector: Login attempt at compromised machine CVE: - CWE: 125 CVSS Score: 7.0 (High) CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Summary and Impact - ------------------ A replay attack is possible due to a logic bug in file pampkcs11.c. In function `pamsmauthenticate()a nonce is generated and signed with the card to verify that the card holds the matching secret key, if a valid certifiate is found. This is done using the functiongetrandomvalue(), which in turn callsPK11GenerateRandom()`, which queries the smartcard for random data. This allows for a replay attack with a malicious smartcard. If a user plugins in his card into a compromised computer, the nonce and answer can be recorded by an attacker. The attacker then modifies a smartcard or a smartcard emulator to replay with the exact same nonce and signed data, which allows the attacker to login to another computer without having further access to the smartcard. Workarounds - ----------- Switch to pam_p11. Buffer Overflow =============== Severity Rating: Low Vector: Overly long user home directory CVE: - CWE: 121 CVSS Score: - CVSS Vector: - Summary and Impact - ------------------ In file opensshmapper.c a stack based buffer overflow is possible if a user has a home directory with a length of more than 512 bytes. This allows to overwrite the passwd structure and possibly the return address in `opensshmappermatchuser()`; {% highlight c %} opensshmapper.c static int opensshmappermatchuser(X509 *x509, const char *user, void *context) { struct passwd *pw; char filename[512]; if (!x509) return -1; if (!user) return -1; pw = getpwnam(user); if (!pw || isemptystr(pw->pwdir) ) { DBG1("User '%s' has no home directory",user); return -1; } sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir); return opensshmappermatchkeys(x509,filename); } {% endhighlight %} Workarounds - ----------- Switch to pam_p11. Memory not cleaned properly before free() ========================================= Severity Rating: Low Vector: - CVE: - CWE: 244 CVSS Score: - CVSS Vector: - _ Summary and Impact - ------------------ In several places memory is set to zero using memset() and passed on to free() afterwards. This is a pattern which modern compilers optimize away, which renders the call to memset() useless. This causes sensitive data such as passwords to remain in the memory, which defeats the original intention of the code. {% highlight c %} memset(password, 0, strlen(password)); free(password); {% endhighlight %} Workarounds - ----------- Switch to pam_p11. Timeline ======== 2018-02-03 Issues found 2018-04-18 Vendor contacted 2018-04-18 Vendor reply 2018-05-18 Technical details provided 2018-05-24 Private git branch created, issues fixed 2018-08-08 Patched version released at https://github.com/x41sec/pam_pkcs11 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50 CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB 6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1 QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p 1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQYc2EZf78Hb7m150K+qtmh3vE nueVLB2ob6LKLewY+DbhglnExY3jy0sg0jTsvmA16fb1xWvuA6F7NsdT/8s/wPij SwM8KDdQfZo7n8RVt+C0saZUP5OeE/Pgvk3vfXefUZgKSI2ZhbPiCxmlPmh1Jd0Z 9hjUcKQHglKdDN9M5Ub0qIpDdi+KHQfdZZkMLJsWwQtAVqjCFQo= =IaN0 -----END PGP SIGNATURE-----
