Bug 1891016 (CVE-2020-25715)

Summary: CVE-2020-25715 pki-core: XSS in the certificate search results
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, alee, alexander.m.scheel, cfu, dsirrine, edewata, jmagne, kwright, mharmsen, mkdineshprasanth, psampaio, rhcs-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core 10.9.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in pki-core. A specially crafted POST request can be used to reflect a DOM-based cross-site scripting (XSS) attack to inject code into the search query form which can get automatically executed. The highest threat from this vulnerability is to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-15 17:25:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1426572, 1898055, 1903211, 1934142, 1934278, 1934676, 1934678, 1940561, 1945155, 1945156, 1945157    
Bug Blocks: 1891015    

Description Cedric Buissart 2020-10-23 14:42:25 UTC 
The search query is reflected back to the user, and injected in a form, so that the user can click on the "next page", etc. However, a specially crafted POST request can be used to reflect a DOM XSS, which can get automatically executed. 

The XSS requires the victim to have installed their RHCS certificate in the web browser. If that certificate has sufficient permissions, the XSS can be used to execute arbitrary code, including sending and signing arbitrary certificates.

Vulnerable page : /ca/ee/ca/listCerts (there might be other pages vulnerable to a similar attack)

```
document.write(
"<button NAME=begin onClick='doNext(this)' VALUE='|<<' width='72'>|<<</button>\n"+
"<button "+disabledUp+" NAME=up onClick='doNext(this)' VALUE='<' width='72'><</button>\n"+
[...]
"<INPUT TYPE=hidden NAME=skipNonValid VALUE='"+
(result.header.skipNonValid ? result.header.skipNonValid : "") + "'>\n"+
```

Several POST parameters, including `skipNonValid`, are being reflected back to the browser without having been sanitized by the server. An attacker can use that to inject JavaScript in the DOM.

Attack scenario :
A victim authenticated in RHCS web UI (the corresponding web browser has the required key/cert installed for client authentication), is tricked into clicking a button on an attacker-controlled website. The XSS can then be used to execute arbitrary JavaScript in the context of RHCS.
Comment 7 Eric Christensen 2021-02-11 18:30:25 UTC 
Mitigation:

Because the cross-site scripting (XSS) attack requires the victim to have their RHCS certificate installed in their web browser to be successful, it is recommended that web browser not hold the keys and that the user use the command line interface (CLI) instead.
Comment 8 Cedric Buissart 2021-03-02 15:27:57 UTC 
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1934142]
Comment 11 Cedric Buissart 2021-03-03 20:44:42 UTC 
Upstream fix : 
https://github.com/dogtagpki/pki/commit/13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6
Comment 16 errata-xmlrpc 2021-03-15 13:26:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819
Comment 17 Product Security DevOps Team 2021-03-15 17:25:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25715
Comment 18 errata-xmlrpc 2021-03-16 13:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851
Comment 19 Cedric Buissart 2021-03-18 15:44:15 UTC 
Statement:

Red Hat Enterprise Linux 8.3 (pki-core 10.9.4) contains mitigations that prevents the vulnerability to be exploited. Red Hat Enterprise Linux version 8 prior to 8.3 are vulnerable to this version
Comment 20 errata-xmlrpc 2021-03-23 16:46:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975
Comment 21 errata-xmlrpc 2021-04-20 09:49:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1263 https://access.redhat.com/errata/RHSA-2021:1263