CVE request: samba pam_winbind authentication fails open

[Vincent Danen <vdanen () redhat com>]

Just cutting-and-pasting from the bug I just filed.  The following was
reported to us, but had been reported upstream last year.

It was reported [1] that Samba's pam_winbind module would fail open (allowing
access) when the require_membership_of option is used as an argument to
pam_winbind, and contains a non-existent group as the value.  In such a
configuration, rather then failing and not permitting authentication which is
what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the
group 'Admin', they will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user
is obviously not a member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was
introduced October 2009 and another commit [3] looks like the fix, although
that is for another bug [4] that's somewhat related to this issue and somewhat
not.

[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598


Could a CVE be assigned to this issue?

--
Vincent Danen / Red Hat Security Response Team