Bug 1992149 (CVE-2021-3698)
| Summary: | CVE-2021-3698 cockpit: authenticates with revoked certificates | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bmontgom, dperpeet, eparis, gkamathe, jburrell, lmanasko, michal.skrivanek, mmarusak, mperina, mpitt, nstielau, patrick, pvolpe, sbonazzo, security-response-team, sgrubb, sponnaga, ssorce, stefw |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cockpit 260 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-11 07:46:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1992432, 1992620, 1993783, 1998513, 2005344 | ||
| Bug Blocks: | 1988484, 1992150 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-08-10 16:30:23 UTC
(1) This is not currently a supported use case. The documentation [0] warns that cockpit doesn't do any meaningful verification of the certificate (it does reject expired ones, but no CA/CRL). This behaviour is not a secret, so it might be beneficial to make this unembargoed, to have a pointer for other affected users. (2) Fixing this properly requires adding a validation D-Bus API to sssd [1]. I filed bug 1992432 for tracking this. [0] https://cockpit-project.org/guide/latest/cert-authentication.html [1] https://github.com/SSSD/sssd/issues/5224 Created cockpit tracking bugs for this issue: Affects: fedora-all [bug 1998513] Is this going to be fixed for RHEL 7? I'm asking because we got a tracker opened on RHV-M 4.3 (bug #1993783 ) which is cross-shipping cockpit from RHEL 7 and if it's not going to be fixed there we should close it as well for RHV-M. Sandro: No, it does not affect RHEL 7, the certificate auth functionality is RHEL 8/9 only (introduced in version 208, and RHEL 7 has Cockpit 195). With sssd 2.6.1 now being available in at least Fedora 35 and Debian testing, I worked on using this new API in Cockpit: https://github.com/cockpit-project/cockpit/pull/16703 This includes integration tests and documentation, and falling back to the pre-2.6.1 API (where only full binary matching is supported). Review much appreciated! Thanks again to the sssd team, in particular Iker Pedrosa, for adding the validation API! As this breaks existing systems on upgrades, I add Lucie to CC: you now *have* to configure a CA in sssd for cert logins to work, and unfortunately `realm join` does not do this automatically for IPA. The upstream release note (in the PR, going to be in the release blog) and the upstream docs (once the PR lands) have the details. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:2008 https://access.redhat.com/errata/RHSA-2022:2008 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3698 |