This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Security impact of nscd and NSS module bugs (particularly NIS)
- From: Florian Weimer <fweimer at redhat dot com>
- To: Russ Allbery <eagle at eyrie dot org>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 04 Jul 2014 11:25:47 +0200
- Subject: Re: Security impact of nscd and NSS module bugs (particularly NIS)
- Authentication-results: sourceware.org; auth=none
- References: <53B54CEE dot 6040505 at redhat dot com> <87pphmz3g5 dot fsf at windlord dot stanford dot edu>
On 07/03/2014 08:45 PM, Russ Allbery wrote:
Florian Weimer <fweimer@redhat.com> writes:
The other difficulty in this area is NIS. If we have a buffer overflow
in processing data from NIS, is this a security bug? As far as I can
tell, NIS is mostly used for accounts, so a malicious server could just
serve an account with UID=0, so it's not obvious me that a trust
boundary is crossed (which is required for a security vulnerability).
Using NIS at all these days is basically a security vulnerability.
I won't argue about that…
That said, I do think a trust boundary has been crossed here. Yes, NIS
can return an account with UID=0, but there may be other controls in place
locally to prevent someone from actually accessing that account (consider,
for instance, PAM modules that require certain authentication protocols
when accessing any account with UID=0 regardless of username). A buffer
overflow in NIS data processing potentially allows an attacker to
compromise the system without having to authenticate to it in any way,
which is more than changing the UID of NIS returns allows, unless I'm
missing something.
Yes, there is some potential for privilege escalation if the attacker
does not already have interactive access to the system (or write access
to the file system). The tricks you can play with changing login shells
and home directories are somewhat limited.
I'm still not quite sure if this corner case is sufficient to worry
about. Unlike the nscd denial-of-service crashers, we are only talking
about a short list of bugs here, so the impact from going with security+
on this one is pretty limited.
--
Florian Weimer / Red Hat Product Security