Bug 457835 (CVE-2008-3274) - CVE-2008-3274 IPA Kerberos master password disclosure
Summary: CVE-2008-3274 IPA Kerberos master password disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3274
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 459581
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-04 20:45 UTC by Josh Bressers
Modified: 2019-09-29 12:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-12 06:23:04 UTC


Attachments (Terms of Use)
Makes the dirsrv plugin fetch the master key at each password change (22.97 KB, patch)
2008-08-26 12:49 UTC, Simo Sorce
no flags Details | Diff
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working (1.59 KB, patch)
2008-08-26 12:49 UTC, Simo Sorce
no flags Details | Diff
The dump utility may set some flags that produced invalid keys, comment out offending paths (1.61 KB, patch)
2008-08-26 12:50 UTC, Simo Sorce
no flags Details | Diff
Utility functions needed by the scripts used to close the issue (24.08 KB, patch)
2008-08-26 12:52 UTC, Simo Sorce
no flags Details | Diff
Utility to change the master key (14.60 KB, patch)
2008-08-26 12:52 UTC, Simo Sorce
no flags Details | Diff
Source fixes for new installations (3.35 KB, patch)
2008-08-26 12:53 UTC, Simo Sorce
no flags Details | Diff
Auxiliary utility to help administrators to close the issue (19.33 KB, patch)
2008-08-26 12:54 UTC, Simo Sorce
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0860 0 normal SHIPPED_LIVE Important: ipa security update 2008-09-10 18:08:10 UTC

Description Josh Bressers 2008-08-04 20:45:18 UTC
IPA contains a flaw in where installations of freipa/RHEIPA exposed the Master Kerberos Password through anonymous queries.

The Master Kerberos Password is used to encrypt keys, however this flaw does not lead to individual keys being exposed.  By itself this flaw has limited scope, but could be combined with a different flaw which could reveal user credentials.

Comment 1 Josh Bressers 2008-08-19 19:31:15 UTC
Simo,

Any update on this?

Comment 2 Simo Sorce 2008-08-19 20:27:04 UTC
We have almost all pieces ready.
Still testing the latest scripts on various configurations.

Comment 3 Simo Sorce 2008-08-19 22:27:47 UTC
Created attachment 314591 [details]
Make our plugin reload the master key every time

This patch allows a smooth transition greatly reducing the risk that a password change being performed during the data re-encryption is stored with the wrong key.

Comment 4 Simo Sorce 2008-08-19 22:28:55 UTC
Created attachment 314592 [details]
Script that allows people to change the master key

This tool is part of the fix for the security issue. It generates a new random master key and re-encrypts all the data in the directory with the new master key.

Comment 5 Simo Sorce 2008-08-19 22:29:51 UTC
Created attachment 314593 [details]
Fixies install scripts for new installations

This is the code fix for new installations

Comment 6 Simo Sorce 2008-08-19 22:31:17 UTC
Created attachment 314594 [details]
Script to help admins handle the security problem

This script is optional but should make the life of admins dealing with the problem much easier.
It is a trhow-away script targeted to closing this specific vulnerability.

Comment 7 Chandrasekar Kannan 2008-08-19 23:33:01 UTC
why is this bug logged against product "Security Response" ?
Do you mind if I move it to product "Red Hat Enterprise IPA" ? or would you prefer that I create a separate bug ?

Comment 8 Simo Sorce 2008-08-20 12:25:57 UTC
As long as the bug does not become public and bressers is ok with that I am fine either way, as long as we don't start commenting in 2 separate places.

Comment 9 Josh Bressers 2008-08-20 12:36:55 UTC
I will create an IPA bug.  the only purpose for that bug should be for checking things into CVS though.  All comments and relevant information belongs in this bug.

Comment 11 Simo Sorce 2008-08-26 12:49:08 UTC
Created attachment 314983 [details]
Makes the dirsrv plugin fetch the master key at each password change

Comment 12 Simo Sorce 2008-08-26 12:49:57 UTC
Created attachment 314984 [details]
The dump utility may set the expiration date to 0 which is a special value to be ignored or the account will stop working

Comment 13 Simo Sorce 2008-08-26 12:50:55 UTC
Created attachment 314985 [details]
The dump utility may set some flags that produced invalid keys, comment out offending paths

Comment 14 Simo Sorce 2008-08-26 12:52:03 UTC
Created attachment 314986 [details]
Utility functions needed by the scripts used to close the issue

Comment 15 Simo Sorce 2008-08-26 12:52:40 UTC
Created attachment 314987 [details]
Utility to change the master key

Comment 16 Simo Sorce 2008-08-26 12:53:14 UTC
Created attachment 314988 [details]
Source fixes for new installations

Comment 17 Simo Sorce 2008-08-26 12:54:22 UTC
Created attachment 314989 [details]
Auxiliary utility to help administrators to close the issue

Comment 18 Simo Sorce 2008-08-26 12:55:17 UTC
Attached the new patches committed to RHEIPA 1.0 after backporting from the master tree and testing on RHEL5

Comment 19 Josh Bressers 2008-09-10 18:00:53 UTC
Lifting embargo

Comment 20 Fedora Update System 2008-09-12 05:13:45 UTC
ipa-1.1.0-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2008-09-12 05:14:27 UTC
ipa-1.1.0-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.