Bug 445227 (CVE-2008-1676)

Summary: CVE-2008-1676 Certificate System: incorrect handling of Extensions in CSRs (cs71)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: blord, cfu, ckannan, kevinu, mharmsen, rcvalle, security-response-team, shaines, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-27 00:33:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 440356, 442963, 445230, 445231, 445232    
Bug Blocks:    

Description Tomas Hoger 2008-05-05 15:54:37 UTC 
A flaw was found in a way Red Hat Certificate System handled Extensions in the
certificate signing requests (CSR).  All requested Extensions were added to
issued certificate despite constraints defined in Certificate Authority (CA)
profile.

For example, CSR could contain Basic Constraints or Key Usage constraint that
once copied to issued certificate would result in creation of subordinate CA
certificate, even though CA configuration prohibits issuing of subordinate CA
certificate, possibly leading to a bypass the intended security policy.

Affected versions:
Red Hat Certificate System 7.1, 7.2, 7.3
Netscape Certificate Management System 6.x
Comment 2 Mark J. Cox 2008-05-22 10:51:46 UTC 
It's hard to code this correctly in CVSS v2.  I think we are best to compare it
to flaws where a client not verifying the basic constraints for a signed
certificate, like CVE-2002-0970 or CVE-2002-0862.  The same NVD CVSSv2 score is
also used for cases such as when a revoked certificate is accepted by a service.
 So I believe this should be

        CVSS v2 Base score: 7.5  (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
        and therefore impact=important
Comment 3 Tomas Hoger 2008-07-02 17:48:21 UTC 
Lifting embargo.
Comment 5 Matthew Harmsen 2010-01-27 00:33:59 UTC 
Setting bug to CLOSED per conversation with QE.