An insufficient permission check issue was found in the way IPA server treats certificate revocation requests. An attacker logged in with the 'retrieve certificate' permission enabled could use this flaw to revoke certificates, possibly triggering a denial of service attack.
Summary: a user with 'retrieve certificate' permission can revoke
any certificate. The 'revoke certificate' permission is not
required.
Detail: the 'cert_revoke' command does check for the 'revoke
certificate' permission, however, if an access error is raised, it
then invokes the 'cert_show' command. The rational was to re-use a
"self-service" check that is part of the 'cert_show' command,
however, it is sufficient that 'cert_show' execute successfully for
'cert_revoke' to recover from the access error and continue.
Therefore, anyone with 'retrieve certificate' permission can revoke
*any* certificate.
Impact: anyone with 'retrieve certificate' permission can cause
various kinds of DoS by revoking any cert they want.
Scope: Every supported versions of RHEL with IDM are affected.