Bug 2020575 (CVE-2021-42096)
Summary: | CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | extras-orphan, infra-sig, jkaluza, jorton, ngompa13 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mailman 2.1.35 | Doc Type: | If docs needed, set a value |
Doc Text: |
Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF (Cross-site Request Forgery) token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack to retrieve the list admin password.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-24 09:09:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2020576, 2020577, 2020666, 2021136, 2021137, 2021138, 2021139 | ||
Bug Blocks: | 2020570 |
Description
Marian Rehak
2021-11-05 10:13:15 UTC
Created mailman tracking bugs for this issue: Affects: fedora-33 [bug 2020576] Affects: fedora-34 [bug 2020577] The csrf_token is computed in function csrf_token() of CSRFcheck.py file: ``` def csrf_token(mlist, contexts, user=None): """ create token by mailman cookie generation algorithm """ for context in contexts: key, secret = mlist.AuthContextInfo(context, user) if key: break else: return None # not authenticated issued = int(time.time()) mac = sha_new(secret + `issued`).hexdigest() keymac = '%s:%s' % (key, mac) token = binascii.hexlify(marshal.dumps((issued, keymac))) return token ``` When creating an HTML form in a page accessible to a list member, this function is used to compute the token placed in a hidden input field in the form, however the first context passed to it is mm_cfg.AuthListAdmin, thus the csrf_token is created based on the list admin password. Any member of the list can thus extract the `mac` part of the token which is computed as a SHA1 of the admin' secret(password) plus the time when the token was generated. This data could be used by a malicious user to crack the password of the admin user offline. Confidentiality set to Low because the exposed information is just the SHA1 of the list admin password concatenated with the time when the token was created. Having access to the hash does not pose an immediate risk to mailman. Although RHEL 6 and RHEL 7 have support for CSRF tokens they are just used for admin pages. Indeed the csrf_token() function is called only in the Form class defined in htmlformat.py, which is used without any context when dealing with regular member pages. Thus no token is generated and no SHA1 of the admin password can be leaked. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-42096 |