Bug 747710 (CVE-2011-3636)

Summary:

CVE-2011-3636 FreeIPA: CSRF vulnerability

Product:

[Other] Security Response

Reporter:

Vincent Danen <vdanen>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

abokovoy, ayoung, edewata, kchamart, mkosek, nalin, rcritten, security-response-team, ssorce

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-03-30 16:48:56 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

749870, 750617, 752226, 757883

Bug Blocks:

747715

Attachments:

Description	Flags
Require a Referer in the server, send one in the clients	none
Modify certmonger to send Referer header with requests	none
Updated certmonger patch to address Nalin's concerns	none
Final certmonger patch	none

Description Vincent Danen 2011-10-20 20:13:27 UTC

A Cross-Site Request Forgery (CSRF) flaw was found in FreeIPA due to a lack of checking the Referer Header in the server (it is not set in the CLI utilities).  If a remote attacker could trick a user, who was logged into the FreeIPA management interface, into visiting a specially-crafted URL, the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged in user.

Comment 3 Simo Sorce 2011-10-20 20:30:13 UTC

Added Nalin as he is the maintainer of the certmonger package.

Comment 6 Rob Crittenden 2011-10-20 21:42:02 UTC

Created attachment 529392 [details]
Require a Referer in the server, send one in the clients

The xmlrpc-c api does not seem to provide a way to set arbitrary headers. It does allow you to set the user-agent string though, so we set that with an embedded line-feed (\n) and a Referer entry. It isn't pretty but it works.

Comment 7 Rob Crittenden 2011-10-20 21:43:10 UTC

Created attachment 529394 [details]
Modify certmonger to send Referer header with requests

Comment 11 Rob Crittenden 2011-10-28 15:10:30 UTC

Created attachment 530677 [details]
Updated certmonger patch to address Nalin's concerns

I added #define _GNU_SOURCE so asprintf() gets defined. I think this should be benign but you know certmonger better than I.

Comment 16 Rob Crittenden 2011-10-31 14:05:57 UTC

Created attachment 530982 [details]
Final certmonger patch

Comment 32 Tomas Hoger 2011-12-06 08:55:57 UTC

Lifting embargo.

Comment 33 errata-xmlrpc 2011-12-06 18:43:23 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1533 https://rhn.redhat.com/errata/RHSA-2011-1533.html

Comment 34 errata-xmlrpc 2011-12-06 19:05:42 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1533 https://rhn.redhat.com/errata/RHSA-2011-1533.html