fedoraproject.org Account System (FAS) security issue.

Robyn Bergeron rbergero at redhat.com
Thu May 9 16:18:18 UTC 2013


Greetings.

A bug has been discovered in the Fedora Account system that could have
exposed some sensitive information to logged in users.

The bug is around the group view function of the account system. 

The bug has been present since 2008.

In order to view the private data, a attacker would have to:

* login to the account system with a valid FAS account.
* Go to a group with unapproved members
* manipulate the URL to get a json version of the unapproved members
  list.

The information exposed could include the following from unapproved
members of a group:

* salted sha512 encrypted password
* security questions (plaintext)
* security answers, however they would be gpg encrypted.
* Possibly other account data that was marked 'private' if the user had
  privacy set.

A hotfix for this bug has been made in our infrastructure,      
and a upstream release with the fix is expected later today.

Review of logs has shown no cases where this bug was used in our
production account system, however our staging version was also
vulnerable and we are unable to confirm the information was not
accessed there. Moving forward, additional logging will be added to our
staging infrastructure.

We recommend (but do not require) that all users take this time to
change their passwords, update their security questions/answers and 
review their other account information.


-Robyn Bergeron


More information about the announce mailing list