Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 6
access weakness #8

4

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

If this call fails, the program could fail to drop heightened privileges.

File Name:

mpich2-1.2.1/src/pm/smpd/smpd_state_machine.c

Context:

The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 access weakness.

 	    context->state = SMPD_CLOSING;
	    result = SMPDU_Sock_post_close(context->sock);
	    smpd_exit_fn(FCNAME);
	    return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
	}

	smpd_exit_fn(FCNAME);
	return (result == SMPD_SUCCESS) ? SMPD_SUCCESS : SMPD_FAIL;
    }

    smpd_dbg_printf("calling QuerySecurityContextToken\n");
    sec_result = smpd_process.sec_fn->QuerySecurityContextToken(&context->sspi_context->context, &context->sspi_context->user_handle);
    if (sec_result == SEC_E_OK)
    {
	/* Create a primary token to be used to start the manager process */
	if (strcmp(context->sspi_header, "yes") == 0)
	{
	    /* full delegation requested */
	    smpd_dbg_printf("calling DuplicateTokenEx with SecurityDelegation\n");
	    duplicate_result = DuplicateTokenEx(context->sspi_context->user_handle, MAXIMUM_ALLOWED, NULL, SecurityDelegation, TokenPrimary, &user_handle);
	    if (context->target == SMPD_TARGET_SMPD)
	    {
		/* smpd targets need the user token and the user name */
		/* so get the user name here */
		sec_result = smpd_process.sec_fn->ImpersonateSecurityContext(&context->sspi_context->context);
		smpd_get_user_name(context->account, context->domain, context->full_domain);
		if (sec_result == SEC_E_OK)
		{
		    smpd_process.sec_fn->RevertSecurityContext(&context->sspi_context->context);
		    smpd_dbg_printf("impersonated user: '%s'\n", context->account);
		}
		else
		{
		    smpd_err_printf("ImpersonateSecurityContext failed: %d\n", sec_result);
		    result_str = SMPD_FAIL_STR;
		}
	    }
	}
	else
	{
	    /* impersonate only */
	    smpd_dbg_printf("calling DuplicateTokenEx with SecurityImpersonation\n");
	    duplicate_result = DuplicateTokenEx(context->sspi_context->user_handle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &user_handle);
	}
	if (duplicate_result)
	{
	    CloseHandle(context->sspi_context->user_handle);
	    context->sspi_context->user_handle = user_handle;
	    smpd_dbg_printf("duplicated user token: %p\n", user_handle);
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.