Bug 457835 - (CVE-2008-3274) CVE-2008-3274 IPA Kerberos master password disclosure
CVE-2008-3274 IPA Kerberos master password disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20080804,publi...
: Security
Depends On: 459581
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-04 16:45 EDT by Josh Bressers
Modified: 2008-09-12 02:23 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-12 02:23:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Makes the dirsrv plugin fetch the master key at each password change (22.97 KB, patch)
2008-08-26 08:49 EDT, Simo Sorce
no flags Details | Diff
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working (1.59 KB, patch)
2008-08-26 08:49 EDT, Simo Sorce
no flags Details | Diff
The dump utility may set some flags that produced invalid keys, comment out offending paths (1.61 KB, patch)
2008-08-26 08:50 EDT, Simo Sorce
no flags Details | Diff
Utility functions needed by the scripts used to close the issue (24.08 KB, patch)
2008-08-26 08:52 EDT, Simo Sorce
no flags Details | Diff
Utility to change the master key (14.60 KB, patch)
2008-08-26 08:52 EDT, Simo Sorce
no flags Details | Diff
Source fixes for new installations (3.35 KB, patch)
2008-08-26 08:53 EDT, Simo Sorce
no flags Details | Diff
Auxiliary utility to help administrators to close the issue (19.33 KB, patch)
2008-08-26 08:54 EDT, Simo Sorce
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-08-04 16:45:18 EDT
IPA contains a flaw in where installations of freipa/RHEIPA exposed the Master Kerberos Password through anonymous queries.

The Master Kerberos Password is used to encrypt keys, however this flaw does not lead to individual keys being exposed.  By itself this flaw has limited scope, but could be combined with a different flaw which could reveal user credentials.
Comment 1 Josh Bressers 2008-08-19 15:31:15 EDT
Simo,

Any update on this?
Comment 2 Simo Sorce 2008-08-19 16:27:04 EDT
We have almost all pieces ready.
Still testing the latest scripts on various configurations.
Comment 3 Simo Sorce 2008-08-19 18:27:47 EDT
Created attachment 314591 [details]
Make our plugin reload the master key every time

This patch allows a smooth transition greatly reducing the risk that a password change being performed during the data re-encryption is stored with the wrong key.
Comment 4 Simo Sorce 2008-08-19 18:28:55 EDT
Created attachment 314592 [details]
Script that allows people to change the master key

This tool is part of the fix for the security issue. It generates a new random master key and re-encrypts all the data in the directory with the new master key.
Comment 5 Simo Sorce 2008-08-19 18:29:51 EDT
Created attachment 314593 [details]
Fixies install scripts for new installations

This is the code fix for new installations
Comment 6 Simo Sorce 2008-08-19 18:31:17 EDT
Created attachment 314594 [details]
Script to help admins handle the security problem

This script is optional but should make the life of admins dealing with the problem much easier.
It is a trhow-away script targeted to closing this specific vulnerability.
Comment 7 Chandrasekar Kannan 2008-08-19 19:33:01 EDT
why is this bug logged against product "Security Response" ?
Do you mind if I move it to product "Red Hat Enterprise IPA" ? or would you prefer that I create a separate bug ?
Comment 8 Simo Sorce 2008-08-20 08:25:57 EDT
As long as the bug does not become public and bressers is ok with that I am fine either way, as long as we don't start commenting in 2 separate places.
Comment 9 Josh Bressers 2008-08-20 08:36:55 EDT
I will create an IPA bug.  the only purpose for that bug should be for checking things into CVS though.  All comments and relevant information belongs in this bug.
Comment 11 Simo Sorce 2008-08-26 08:49:08 EDT
Created attachment 314983 [details]
Makes the dirsrv plugin fetch the master key at each password change
Comment 12 Simo Sorce 2008-08-26 08:49:57 EDT
Created attachment 314984 [details]
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working
Comment 13 Simo Sorce 2008-08-26 08:50:55 EDT
Created attachment 314985 [details]
The dump utility may set some flags that produced invalid keys, comment out offending paths
Comment 14 Simo Sorce 2008-08-26 08:52:03 EDT
Created attachment 314986 [details]
Utility functions needed by the scripts used to close the issue
Comment 15 Simo Sorce 2008-08-26 08:52:40 EDT
Created attachment 314987 [details]
Utility to change the master key
Comment 16 Simo Sorce 2008-08-26 08:53:14 EDT
Created attachment 314988 [details]
Source fixes for new installations
Comment 17 Simo Sorce 2008-08-26 08:54:22 EDT
Created attachment 314989 [details]
Auxiliary utility to help administrators to close the issue
Comment 18 Simo Sorce 2008-08-26 08:55:17 EDT
Attached the new patches committed to RHEIPA 1.0 after backporting from the master tree and testing on RHEL5
Comment 19 Josh Bressers 2008-09-10 14:00:53 EDT
Lifting embargo
Comment 20 Fedora Update System 2008-09-12 01:13:45 EDT
ipa-1.1.0-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2008-09-12 01:14:27 EDT
ipa-1.1.0-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.