Bug 1017197 (CVE-2011-4973)

Summary: CVE-2011-4973 mod_nss: FakeBasicAuth authentication bypass
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alee, awnuk, cfu, dpal, jkurik, jmagne, mharmsen, nkinder, pfrields, rcritten, rmeggins, thoger, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-14 21:52:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 702437, 749402, 1017675, 1022921    
Bug Blocks: 830846    

Description Tomas Hoger 2013-10-09 12:26:46 UTC 
A flaw was reported in the way mod_nss handled FakeBasicAuth NSSOption.  Unlike mod_ssl, mod_nss only used CommonName from a client certificate's subject, rather than the whole subject DN.  This made safety check inherited from mod_ssl that ensured client can not submit username and password generated by FakeBasicAuth via Authorization header without actually providing valid client certificate.  Further details are in the Jared Jennings' post to the mod_nss mailing list:

https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html

Problem was corrected in the following upstream git commit:

https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3

This fix is not yet included in any released mod_nss version.  The last released version to date is 1.0.8 from Jul 2008.

This problem was already corrected in Red Hat Enterprise Linux 5 and 6 mod_nss packages via the following errata:

https://rhn.redhat.com/errata/RHBA-2011-1656.html
https://rhn.redhat.com/errata/RHBA-2013-0009.html
Comment 1 Tomas Hoger 2013-10-09 12:38:17 UTC 
It should be noted that after the fix, any htpasswd file that was created for use with older mod_nss version (i.e. file that only contains CN for user name) need to be changed to use full DN.  This is required to both make authentication work for valid users authenticating using client certificates, as well as to address the authentication bypass.
Comment 2 Ratul Gupta 2013-10-10 10:21:59 UTC 
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1017675]