Improper Authorization in saltstack/salt

Valid

Reported on

Mar 5th 2022


Description

When configuring saltstack to authentificate via the salt.auth.pam module. The authorization of a account validity is missing. Therefore expired accounts, or accounts with expired passwords, can still login.

Proof of Concept

Configure salt with salt.auth.pam and run it with an expired account. To expire an PAM account use: chage -E0 <username>

Impact

After successfull authentication with pam_authenticateit's necessary to check the validity of an account with pam_acct_mgmt(). This is done, but the return value is discarded and only the return value of pam_authenticateis being used which results in skipping for authorization completely. Depending on how salt is configured this can become pretty severe. You don't revoke privileges for an account without a reason. As always I assume that the salt developers could estimate the severity way better than I could, so feel free to correct it.

Occurrences

Here is a fix. I don't want to make it public via fork & commit before it has been solved.

+++ b/salt/auth/pam.py
@@ -209,7 +209,7 @@ def authenticate(username, password):

     retval = PAM_AUTHENTICATE(handle, 0)
     if retval == 0:
-        PAM_ACCT_MGMT(handle, 0)
+        retval = PAM_ACCT_MGMT(handle, 0)
     PAM_END(handle, 0)
     return retval == 0

References

We are processing your report and will contact the saltstack/salt team within 24 hours. 9 months ago
ysf modified the report
9 months ago
We have contacted a member of the saltstack/salt team and are waiting to hear back 9 months ago
ysf modified the report
9 months ago
ysf submitted a
9 months ago
We have sent a follow up to the saltstack/salt team. We will try again in 7 days. 9 months ago
We have sent a second follow up to the saltstack/salt team. We will try again in 10 days. 9 months ago
We have sent a third and final follow up to the saltstack/salt team. This report is now considered stale. 8 months ago
ysf
5 months ago

Researcher


@admin Is there any way to continue here?

Jamie Slome
5 months ago

Admin


@ysf - we can make the report public, and you are welcome to share the report URL directly with the maintainers or publicly disclose the issue.

Let me know how you would like to proceed 👍

ysf
5 months ago

Researcher


@admin this is very unlucky - because the maintainers have picked my merge and incorporated it into salt. You can see the big merge here: https://github.com/saltstack/salt/commit/d9343cca650d7197d3f6e107ffd506d25a8748ab

* Fix PAM auth CVE

Credit to @ysf```

I'll send them the link one more time, somehow
Pedro Algarvio validated this vulnerability 5 months ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pedro Algarvio marked this as fixed in 3004.2 with commit d9343c 5 months ago
ysf has been awarded the fix bounty
This vulnerability will not receive a CVE
pam.py#L212 has been validated
to join this conversation