Bug 457835 (CVE-2008-3274)

Summary:

CVE-2008-3274 IPA Kerberos master password disclosure

Product:

[Other] Security Response

Reporter:

Josh Bressers <bressers>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

high

Docs Contact:

Priority:

high

Version:

unspecified

CC:

ckannan, mnagy, rcritten, security-response-team, sgallagh, ssorce

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2008-09-12 06:23:04 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

459581

Bug Blocks:

Attachments:

Description	Flags
Makes the dirsrv plugin fetch the master key at each password change	none
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working	none
The dump utility may set some flags that produced invalid keys, comment out offending paths	none
Utility functions needed by the scripts used to close the issue	none
Utility to change the master key	none
Source fixes for new installations	none
Auxiliary utility to help administrators to close the issue	none

Description Josh Bressers 2008-08-04 20:45:18 UTC

IPA contains a flaw in where installations of freipa/RHEIPA exposed the Master Kerberos Password through anonymous queries.

The Master Kerberos Password is used to encrypt keys, however this flaw does not lead to individual keys being exposed.  By itself this flaw has limited scope, but could be combined with a different flaw which could reveal user credentials.

Comment 1 Josh Bressers 2008-08-19 19:31:15 UTC

Simo,

Any update on this?

Comment 2 Simo Sorce 2008-08-19 20:27:04 UTC

We have almost all pieces ready.
Still testing the latest scripts on various configurations.

Comment 3 Simo Sorce 2008-08-19 22:27:47 UTC

Created attachment 314591 [details]
Make our plugin reload the master key every time

This patch allows a smooth transition greatly reducing the risk that a password change being performed during the data re-encryption is stored with the wrong key.

Comment 4 Simo Sorce 2008-08-19 22:28:55 UTC

Created attachment 314592 [details]
Script that allows people to change the master key

This tool is part of the fix for the security issue. It generates a new random master key and re-encrypts all the data in the directory with the new master key.

Comment 5 Simo Sorce 2008-08-19 22:29:51 UTC

Created attachment 314593 [details]
Fixies install scripts for new installations

This is the code fix for new installations

Comment 6 Simo Sorce 2008-08-19 22:31:17 UTC

Created attachment 314594 [details]
Script to help admins handle the security problem

This script is optional but should make the life of admins dealing with the problem much easier.
It is a trhow-away script targeted to closing this specific vulnerability.

Comment 7 Chandrasekar Kannan 2008-08-19 23:33:01 UTC

why is this bug logged against product "Security Response" ?
Do you mind if I move it to product "Red Hat Enterprise IPA" ? or would you prefer that I create a separate bug ?

Comment 8 Simo Sorce 2008-08-20 12:25:57 UTC

As long as the bug does not become public and bressers is ok with that I am fine either way, as long as we don't start commenting in 2 separate places.

Comment 9 Josh Bressers 2008-08-20 12:36:55 UTC

I will create an IPA bug.  the only purpose for that bug should be for checking things into CVS though.  All comments and relevant information belongs in this bug.

Comment 11 Simo Sorce 2008-08-26 12:49:08 UTC

Created attachment 314983 [details]
Makes the dirsrv plugin fetch the master key at each password change

Comment 12 Simo Sorce 2008-08-26 12:49:57 UTC

Created attachment 314984 [details]
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working

Comment 13 Simo Sorce 2008-08-26 12:50:55 UTC

Created attachment 314985 [details]
The dump utility may set some flags that produced invalid keys, comment out offending paths

Comment 14 Simo Sorce 2008-08-26 12:52:03 UTC

Created attachment 314986 [details]
Utility functions needed by the scripts used to close the issue

Comment 15 Simo Sorce 2008-08-26 12:52:40 UTC

Created attachment 314987 [details]
Utility to change the master key

Comment 16 Simo Sorce 2008-08-26 12:53:14 UTC

Created attachment 314988 [details]
Source fixes for new installations

Comment 17 Simo Sorce 2008-08-26 12:54:22 UTC

Created attachment 314989 [details]
Auxiliary utility to help administrators to close the issue

Comment 18 Simo Sorce 2008-08-26 12:55:17 UTC

Attached the new patches committed to RHEIPA 1.0 after backporting from the master tree and testing on RHEL5

Comment 19 Josh Bressers 2008-09-10 18:00:53 UTC

Lifting embargo

Comment 20 Fedora Update System 2008-09-12 05:13:45 UTC

ipa-1.1.0-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2008-09-12 05:14:27 UTC

ipa-1.1.0-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Red Hat Product Security 2008-09-12 06:23:04 UTC

This issue was addressed in:

Red Hat Enterprise IPA:
  http://rhn.redhat.com/errata/RHSA-2008-0860.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7987
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8003