NEWS
X41 D-Sec GmbH Security Advisory: X41-2018-003
Multiple Vulnerabilities in pam_pkcs11
Overview
Confirmed Affected Versions: 0.6.9
Confirmed Patched Versions: -
Vendor: Unmaintained
Vendor URL: https://github.com/OpenSC/pam_pkcs11
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-003-pam_pkcs11/
Summary and Impact
It is possible to replay an authentication by using a specially prepared smartcard or token in case pam-pkcs11 is compiled with NSS support. Furthermore two minor implementation issues have been identified.
X41 did not perform a full test or audit of the software.
Product Description
This Linux-PAM login module allows a X.509 certificate based user
login. The certificate and its dedicated private key are thereby
accessed by means of an appropriate PKCS #11 module. For the
verification of the users’ certificates, locally stored CA
certificates as well as either online or locally accessible CRLs are
used.
Authentication Replay
Severity Rating: High
Vector: Login attempt at compromised machine
CVE: -
CWE: 125
CVSS Score: 7.0 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary and Impact
A replay attack is possible due to a logic bug in file pam_pkcs11.c. In function pam_sm_authenticate() a nonce is generated and signed with the card to verify that the card holds the matching secret key, if a valid certifiate is found. This is done using the function get_random_value(), which in turn calls PK11_GenerateRandom(), which queries the smartcard for random data.
This allows for a replay attack with a malicious smartcard. If a user plugins in his card into a compromised computer, the nonce and answer can be recorded by an attacker. The attacker then modifies a smartcard or a smartcard emulator to replay with the exact same nonce and signed data, which allows the attacker to login to another computer without having further access to the smartcard.
Workarounds
Switch to pam_p11.
Buffer Overflow
Severity Rating: Low
Vector: Overly long user home directory
CVE: -
CWE: 121
CVSS Score: -
CVSS Vector: -
Summary and Impact
In file openssh_mapper.c a stack based buffer overflow is possible if a user has a home directory with a length of more than 512 bytes. This allows to overwrite the passwd structure and possibly the return address in openssh_mapper_match_user();
openssh_mapper.c
static int openssh_mapper_match_user(X509 *x509, const char *user, void *context) {
struct passwd *pw;
char filename[512];
if (!x509) return -1;
if (!user) return -1;
pw = getpwnam(user);
if (!pw || is_empty_str(pw->pw_dir) ) {
DBG1("User '%s' has no home directory",user);
return -1;
}
sprintf(filename,"%s/.ssh/authorized_keys",pw->pw_dir);
return openssh_mapper_match_keys(x509,filename);
}Workarounds
Switch to pam_p11.
Memory not cleaned properly before free()
Severity Rating: Low
Vector: -
CVE: -
CWE: 244
CVSS Score: -
CVSS Vector: -
Summary and Impact
In several places memory is set to zero using memset() and passed on to free() afterwards. This is a pattern which modern compilers optimize away, which renders the call to memset() useless. This causes sensitive data such as passwords to remain in the memory, which defeats the original intention of the code.
memset(password, 0, strlen(password));
free(password); Workarounds
Switch to pam_p11.
Timeline
2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, issues fixed
2018-08-08 Patched version released at https://github.com/x41sec/pam_pkcs11