Bug 2020575 (CVE-2021-42096)

Summary: CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, infra-sig, jkaluza, jorton, ngompa13
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mailman 2.1.35 Doc Type: If docs needed, set a value
Doc Text:
Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF (Cross-site Request Forgery) token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack to retrieve the list admin password.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-24 09:09:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2020576, 2020577, 2020666, 2021136, 2021137, 2021138, 2021139    
Bug Blocks: 2020570    

Description Marian Rehak 2021-11-05 10:13:15 UTC
A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

External Reference:

http://www.openwall.com/lists/oss-security/2021/10/21/4

Comment 1 Marian Rehak 2021-11-05 10:14:01 UTC
Created mailman tracking bugs for this issue:

Affects: fedora-33 [bug 2020576]
Affects: fedora-34 [bug 2020577]

Comment 2 Riccardo Schirone 2021-11-05 11:35:56 UTC
Upstream patch:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

Comment 3 Riccardo Schirone 2021-11-05 12:03:12 UTC
The csrf_token is computed in function csrf_token() of CSRFcheck.py file:
```
def csrf_token(mlist, contexts, user=None):
    """ create token by mailman cookie generation algorithm """

    for context in contexts:
        key, secret = mlist.AuthContextInfo(context, user)
        if key:
            break
    else:
        return None     # not authenticated
    issued = int(time.time())
    mac = sha_new(secret + `issued`).hexdigest()
    keymac = '%s:%s' % (key, mac)
    token = binascii.hexlify(marshal.dumps((issued, keymac)))
    return token
```

When creating an HTML form in a page accessible to a list member, this function is used to compute the token placed in a hidden input field in the form, however the first context passed to it is mm_cfg.AuthListAdmin, thus the csrf_token is created based on the list admin password.

Any member of the list can thus extract the `mac` part of the token which is computed as a SHA1 of the admin' secret(password) plus the time when the token was generated. This data could be used by a malicious user to crack the password of the admin user offline.

Comment 5 Riccardo Schirone 2021-11-05 13:57:18 UTC
Confidentiality set to Low because the exposed information is just the SHA1 of the list admin password concatenated with the time when the token was created. Having access to the hash does not pose an immediate risk to mailman.

Comment 6 Riccardo Schirone 2021-11-05 14:43:08 UTC
Although RHEL 6 and RHEL 7 have support for CSRF tokens they are just used for admin pages. Indeed the csrf_token() function is called only in the Form class defined in htmlformat.py, which is used without any context when dealing with regular member pages. Thus no token is generated and no SHA1 of the admin password can be leaked.

Comment 8 errata-xmlrpc 2021-11-23 20:34:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826

Comment 9 errata-xmlrpc 2021-11-24 08:30:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838

Comment 10 errata-xmlrpc 2021-11-24 08:32:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837

Comment 11 errata-xmlrpc 2021-11-24 08:36:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839

Comment 12 Product Security DevOps Team 2021-11-24 09:09:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42096