Bug 1726223 (CVE-2019-10195)

Summary: CVE-2019-10195 ipa: Batch API logging user passwords to /var/log/httpd/error_log
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, dblechte, dfediuck, eedri, fdc, frenaud, huzaifas, ipa-maint, jamison.bennett, jcholast, jhrozek, mgoldboi, michal.skrivanek, pvoborni, rcritten, rtillery, sbonazzo, security-response-team, sherold, ssorce, tscherf, twoerner, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1728123, 1776939, 1777303, 1728124, 1728125, 1777147, 1777252    
Bug Blocks: 1723319    
Attachments:
Description Flags
Candidate patch none

Description msiddiqu 2019-07-02 11:10:43 UTC
FreeIPA's batch API logs user passwords to /var/log/httpd/error_log. When the actual command is processed, the passwords get masked out, however when the batch command is logged it logs all parameters of the sub-commands including the sensitive ones.

Comment 2 Rob Crittenden 2019-07-03 15:28:48 UTC
Created attachment 1587101 [details]
Candidate patch

Comment 3 Florence Blanc-Renaud 2019-07-04 07:42:25 UTC
Patch tested successfully. I also ran the ipatests/test_xmlrpc/test_batch_plugin.py tests without any issue.

Example of output in /var/log/httpd/error_log when running in batch "ipa group_find" and "ipa passwd test SecretPwd":

ipa: DEBUG: raw: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: raw: group_find(None, version='2.233')
ipa: DEBUG: group_find(None, private=False, posix=False, external=False, nonposix=False, all=False, raw=False, version='2.233', no_members=True, pkey_only=False)
ipa: INFO: admin@DOMAIN.COM: batch: group_find(None): SUCCESS
ipa: DEBUG: raw: passwd('test', '********', None, version='2.233')
ipa: DEBUG: passwd(ipapython.kerberos.Principal('test@DOMAIN.COM'), '********', '********', version='2.233')
ipa: INFO: admin@DOMAIN.COM: batch: passwd('test', '********', None): SUCCESS
ipa: INFO: [jsonserver_kerb] admin@DOMAIN.COM: batch(group_find(None), passwd('test', '********', None)): SUCCESS

Comment 4 Rob Crittenden 2019-07-05 15:23:38 UTC
How should we go about releasing this? Is the upstream reporter going to disclose this at some point?

Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 matter? It is almost certainly affected too.

Is a CVE going to be assigned?

Comment 5 Jamison Bennett 2019-07-05 19:30:54 UTC
(In reply to Rob Crittenden from comment #4)
> How should we go about releasing this? Is the upstream reporter going to
> disclose this at some point?

I am the reporter of this, so I can answer part of your questions. I do not have plans to disclose this. I look forward to using the batch API when RedHat releases this fix. Your patch is better than the one I originally provided with the report because it logs more information than the original one did. Thanks.

> 
> Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> matter? It is almost certainly affected too.
> 
> Is a CVE going to be assigned?

Comment 6 Huzaifa S. Sidhpurwala 2019-07-08 06:52:17 UTC
In reply to comment #4:
> How should we go about releasing this? Is the upstream reporter going to
> disclose this at some point?
> 
> Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> matter? It is almost certainly affected too.
> 
This is rated as having moderate impact, so we will create unacked trackers for rhel-7/8. We dont plan to fix this for rhel-6 though. 
> Is a CVE going to be assigned?

We will assign a cve id to this.

Comment 11 Huzaifa S. Sidhpurwala 2019-07-11 04:03:34 UTC
In reply to comment #5:
> (In reply to Rob Crittenden from comment #4)
> > How should we go about releasing this? Is the upstream reporter going to
> > disclose this at some point?
> 
> I am the reporter of this, so I can answer part of your questions. I do not
> have plans to disclose this. I look forward to using the batch API when
> RedHat releases this fix. Your patch is better than the one I originally
> provided with the report because it logs more information than the original
> one did. Thanks.
> 
> > 
> > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> > matter? It is almost certainly affected too.
> > 
> > Is a CVE going to be assigned?

Hi Jamison,

Since you reported this flaw, we would like to acknowledge you as the reporter. Are you ok with using your name "Jamison Bennett" as the reporter? or would you like something like "Jamison Bennett of Cloudera" ?

Please let us know.

Comment 12 Jamison Bennett 2019-07-11 13:38:38 UTC
HI Huzaifa,

Yes, that would be awesome to use something like "Jamison Bennett of Cloudera". Thank you for checking.

Thanks,
Jamison

Comment 13 Huzaifa S. Sidhpurwala 2019-07-15 06:44:11 UTC
Acknowledgments:

Name: Jamison Bennett (Cloudera)

Comment 16 Doran Moppert 2019-07-16 04:35:54 UTC
Statement:

This vulnerability exists in the server component of FreeIPA. Client packages are not affected.

Comment 21 Alexander Bokovoy 2019-11-26 13:47:33 UTC
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.

Comment 23 Huzaifa S. Sidhpurwala 2019-11-27 02:51:12 UTC
Upstream commit: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0

Comment 24 Huzaifa S. Sidhpurwala 2019-11-27 02:51:45 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777147]