Bug 1475851 (CVE-2017-11191)

Summary: CVE-2017-11191 ipa: Session reuse to unlock the locked user
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, dkholia, frenaud, ftrivino, ipa-maint, jcholast, jhrozek, mkosek, pvoborni, pvomacka, rcritten, security-response-team, ssorce, tkrizek, tscherf
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-29 12:09:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1497164    
Bug Blocks: 1475857    

Description Andrej Nemec 2017-07-27 13:24:33 UTC 
A flaw was found in the way FreeIPA handled sessions. It was found that a user with a locked account could reuse his older session, from when the user's account was active, to unlock his account which got locked later on.
Comment 4 Pavel Vomacka 2017-07-28 07:03:40 UTC 
Version: FreeIPA, version: 4.4.0-12 on RHEL 7.3

I tried to use two browsers for reproducing it. See the steps below.

Account lock due to failed log in attempts 
1. Chrome: Logged in as tuser
2. Firefox: Logged out
3. Firefox: 6x failed log in as tuser
4. Firefox: Try to log in with correct passwd to test that account is locked
5. Firefox: Log in is not possible
6. Chrome: (still active session from last login) Tries to click on Unlock in Action menu - it failed with internal server error (the same error is there for any other API calls to server) 

Account disabling:
1. Chrome: Logged in as tuser
2. Firefox: Logged in as admin
3. Firefox: Navigate to 'tuser' user details page
4. Firefox: Actions -> disable to disable the 'tuser' user
6. Chrome: (still active session from last login) Enable user in Actions on details page is grayed out so. Tries to change field value and click "Save"- it failed with internal server error (the same error is there for any other API calls to server) 

In case that those above are steps to reproduce, I'm not able to reproduce it. But still, I would rather wait for exact steps (and more information about env) from reporter to be sure that we don't miss anything.
Comment 6 Adam Mariš 2017-09-29 11:02:09 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1497164]
Comment 9 Dhiru Kholia 2017-10-05 09:48:55 UTC 
Statement:

This security issue does not exist in IPA / FreeIPA. FreeIPA server correctly rejects the  HTTP request for "user_unlock" method with 401 Unauthorized HTTP code when the attacker tries to reuse an older browser session. Therefore, we do not consider this report as a valid security concern. We have submitted a request to MITRE to reject this CVE ID.