Re: CVS-Request: realmd code execution/auth bypass

[Sebastian Krahmer <krahmer () suse de>]

On Wed, Mar 25, 2015 at 04:36:52PM -0400, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > Upstream has opened two bugs for issues in realmd
>
> This initial response has a CVE ID only for the second one.
>
> > could lead to remote attackers logging into the local system
> > by placing an evil AD server in the LAN
> > https://bugs.freedesktop.org/show_bug.cgi?id=89205
>
> Is upstream planning to announce this as a vulnerability fix? Although
> the old behavior was unsafe if there was any possibility of an
> untrusted device on the LAN, it appears that the old behavior had been
> intentional. For example, the old behavior may have been chosen as a
> security/convenience tradeoff. This example might be applicable:
>
>   https://fedoraproject.org/wiki/QA:Testcase_realmd_join_automatic

Are CVE's only assigned if upstream is issuing fixes? The bug
entry reads like that there is something that needs fixing:

Attackers can pose as a legit realm (with the same name) so the admin is tricked to
join to a rogue AD, allowing an attacker to log into the machine.
The admin has no chance to know that he joined an evil AD which
has hijacked his legit realm-name.
Even when its intentional that the join is automatic for convenience,
it should "somehow" be ensured that the legit AD servers are used.

Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team