RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 702437 - may be possible to spoof mod_nss FakeBasicAuth
Summary: may be possible to spoof mod_nss FakeBasicAuth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mod_nss
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 749402 797335 CVE-2011-4973
TreeView+ depends on / blocked
 
Reported: 2011-05-05 16:40 UTC by jared jennings
Modified: 2015-01-04 23:48 UTC (History)
4 users (show)

Fixed In Version: mod_nss-1.0.8-13.el6
Doc Type: Bug Fix
Doc Text:
Prior to this update, client certificates were only retrieved during the initial SSL handshake if the NSSVerifyClient option was set to "require" or "optional". Also, the FakeBasicAuth option only retrieved Common Name rather than the entire certificate subject. Consequently, it was possible to spoof an identity using that option. This bug has been fixed, the FakeBasicAuth option is now prefixed with "/" and is thus compatible with OpenSSL, and certificates are now retrieved on all subsequent requests beyond the first one.
Clone Of:
: 749402 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:37:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Use full subject for FakeBasicAuth, always retrieve the client cert (1.15 KB, patch)
2011-05-11 17:28 UTC, Rob Crittenden 		no flags Details | Diff
Revised patch, only get cert in nss_hook_ReadReq() (1.68 KB, patch)
2011-05-11 19:32 UTC, Rob Crittenden 		no flags Details | Diff
nss.conf used to test mod_nss (1.77 KB, text/plain)
2011-11-10 09:19 UTC, Kashyap Chamarthy 		no flags Details
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1656 0 normal SHIPPED_LIVE mod_nss bug fix update 2011-12-06 00:50:24 UTC

Description jared jennings 2011-05-05 16:40:08 UTC 
This is the same problem outlined in this email:
https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html
I hope it is more succinctly and usefully stated here.

Description of problem:
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate is not provided with which the BasicAuth can be Faked, and the client provides an Authorization header, the FakeBasicAuth code in mod_nss may not properly reject an attempt to spoof.

Version-Release number of selected component (if applicable):
1.0.8-8


To reproduce:
1. Configure a TLS website using Apache httpd and mod_nss. Use NSSOptions +FakeBasicAuth, and Require valid-user (for example). Do not require certificates (NSSVerifyClient optional, for example).
2. Set up a password file, with common names of legitimate certificates as usernames, and 'password' (or its crypted or hashed equivalent) as passwords, as directed in the documentation.
3. Visit your website. Do not provide a certificate. Provide the common name of any certificate listed in the password file as a username, and 'password' as the password.
4. Check the server logs. 
  
Actual results:
Page is fetched; response code 200 OK. Server logs show that the page was fetched under the credentials of the user whose common name you typed in.

Expected results:
Response code 403 Access Denied. Server error log says, "Encountered FakeBasicAuth spoof: " and the common name you typed in step 3.


Additional info:
In order for the FakeBasicAuth spoof check (nss_engine_kernel.c:592, in mod_nss-1.0.8-8.el6) to be effective, it must check for usernames of the same form as those legitimately set based on a certificate (nss_engine_kernel.c:628), but coming from the wrong source (via the Authorization header).

In mod_ssl, usernames are set using X509_NAME_oneline (modules/ssl/ssl_engine_kernel.c:1020, in httpd-2.2.15-5.el6, and are of the form "/C=US/O=Bla/OU=Blu/CN=John Doe", which always starts with '/'; this is why the spoof check (ssl_engine_kernel.c:996) checks for (username[0] == '/').

In mod_nss, usernames are set using CERT_GetCommonName (nss_engine_kernel.c:629), and are of the form "John Doe". The spoof check, however, has not been changed since it was branched from mod_ssl, so it will not detect and reject all spoof attempts. The set of legitimate certificate-based usernames and the set of usernames checked for in the spoof check are no longer the same.
Comment 2 jared jennings 2011-05-05 18:47:15 UTC 
I've changed nss_engine_kernel.c around line 629 to use CERT_NameToAscii instead of CERT_GetCommonName, and to put a slash on the beginning of the string first. This makes the spoof check useful again, and ensures that the whole DN is used in authorization, so certificates having the same common name but different issuers will not produce wrong authorization results.
Comment 3 RHEL Program Management 2011-05-06 06:00:11 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4 Rob Crittenden 2011-05-10 19:16:52 UTC 
Your suggestion in #c2 seems fine to me. sslconn->client_dn is only used for FakeBasicAuth so we can do what we wish with it.
Comment 5 Rob Crittenden 2011-05-11 17:28:41 UTC 
Created attachment 498352 [details]
Use full subject for FakeBasicAuth, always retrieve the client cert

The first fix is to retrieve the full certificate subject instead of just the CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.

The second always attempts to retrieve the client certificate in nss_hook_ReadReq().
Comment 6 Rob Crittenden 2011-05-11 19:32:27 UTC 
Created attachment 498379 [details]
Revised patch, only get cert in nss_hook_ReadReq()
Comment 7 jared jennings 2011-05-12 17:00:27 UTC 
Thank you, sir: this patch fixes both of the problems I've had with mod_nss.
Comment 8 Rob Crittenden 2011-06-15 02:15:42 UTC 
Committed upstream a6c3370491ae1d3bc552e8de9353c82f73e510e3
Comment 10 Tomas Capek 2011-08-22 09:39:48 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, client certificates were only retrieved during the initial SSL handshake if the NSSVerifyClient option was set to "require" or "optional". Also, the FakeBasicAuth option only retrieved Common Name rather than the entire certificate subject. Consequently, it was possible to spoof an identity using that option. This bug has been fixed, the FakeBasicAuth option is now prefixed with "/" and is thus compatible with OpenSSL, and certificates are now retrieved on all subsequent requests beyond the first one.
Comment 11 Kashyap Chamarthy 2011-11-10 09:19:00 UTC 
Created attachment 532763 [details]
nss.conf used to test mod_nss
Comment 12 Kashyap Chamarthy 2011-11-10 10:04:48 UTC 
VERIFIED.

Version Info.
=======================================
[root@dhcp201-108 conf.d]# rpm -q mod_nss
mod_nss-1.0.8-13.el6.x86_64
[root@dhcp201-108 conf.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@dhcp201-108 conf.d]# 
=======================================

Procedure:

1/ Have a Certificate Authority instance handy. I used a Certificate System CA instance located on MachineA

2/ On MachineB : # yum install mod_nss

3/ On MachineB,  Add nss-test.conf to /etc/httpd/conf.d/ (attached in comment #11)

3.1/ Also ensure to include the nss-test.conf in httpd.conf
=======================================
[root@dhcp201-108 conf.d]# grep "Include conf" /etc/httpd/conf/httpd.conf 
#Include conf.d/*.conf
Include conf.d/nss-test.conf
[root@dhcp201-108 conf.d]# 
=======================================

4/ Add the CAs (from MachineA) 'Signing Cert' and 'Server Cert' into /etc/httpd/alias on MachineB (where mod_nss is configured)
=======================================
[root@dhcp201-108 alias]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
Server-Cert cert-pki-ca-aug24-qeb                            u,u,u
caSigningCert cert-pki-ca-aug24-qeb                          CT,C,C
alpha                                                        u,pu,u
[root@dhcp201-108 alias]# 
=======================================

5/ Ensure to include the nss-test.conf

[root@dhcp201-108 conf]# grep "Include conf" httpd.conf 
#Include conf.d/*.conf
Include conf.d/nss-test.conf
[root@dhcp201-108 conf]# 


6/ Create a test html file in /var/www/html
=======================================
[root@dhcp201-108 html]# mkdir securearea ; cd securearea
[root@dhcp201-108 securearea]# cat index.html 
<html>
        <head>
                <title>mod_nss secure area</title>
        </head>
        <body>
                <h1>Red Hat Enterprise Linux</h1>
                +mod_nss secure area
        </body>
</html>

[root@dhcp201-108 securearea]# 
=======================================


7/ Restart httpd on MachineB (where mod_nss is configured)
=======================================
[root@dhcp201-108 alias]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@dhcp201-108 alias]# 
=======================================

8/ Issue a user certificate from the CA and import it into the browser.

9/ Now from the browser, try to access the 'securearea' url

http://MachineB:7443/securearea

Authentication for client certificate should be prompted, and httpd 'access_log' should have the entries

Reload the above url  a few times, now, every reload the should reflect the auth in the access_log

Thanks Rob. for detail.

Successful httpd access_log entries:
#######################################
==> /var/log/httpd/access_log <==
10.16.76.34 - - [10/Nov/2011:03:51:31 -0500] "GET /securearea/ HTTP/1.1" 200 146 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Red Hat/3.6-2.el5_7 Firefox/3.6.23"
10.16.76.34 - - [10/Nov/2011:03:51:47 -0500] "GET /securearea/ HTTP/1.1" 200 146 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Red Hat/3.6-2.el5_7 Firefox/3.6.23"
10.16.76.34 - - [10/Nov/2011:03:52:05 -0500] "GET /securearea/ HTTP/1.1" 200 146 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Red Hat/3.6-2.el5_7 Firefox/3.6.23"
#######################################
Comment 13 errata-xmlrpc 2011-12-06 16:37:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1656.html
Note You need to log in before you can comment on or make changes to this bug.