Bug 876307 - (CVE-2012-5484) CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain
CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentia...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130123,repo...
: Security
: 842873 (view as bug list)
Depends On: 878217 878218 878219 878220 903390
Blocks: 876369
  Show dependency treegraph
 
Reported: 2012-11-13 14:04 EST by Vincent Danen
Modified: 2013-07-09 09:34 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-23 16:53:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
1/4 (2.75 KB, patch)
2012-12-04 08:51 EST, Simo Sorce
no flags Details | Diff
2/4 (2.89 KB, patch)
2012-12-04 08:51 EST, Simo Sorce
no flags Details | Diff
3/4 (955 bytes, patch)
2012-12-04 08:52 EST, Simo Sorce
no flags Details | Diff
4/4 (31.68 KB, patch)
2012-12-04 08:52 EST, Simo Sorce
no flags Details | Diff

  None (edit)
Description Vincent Danen 2012-11-13 14:04:13 EST
A weakness was found in the way an IPA client would communicate with an IPA server when attempting to join an IPA domain.

When an IPA client attempted to join an IPA domain, and if an attacker were able to spoof the DNS name of the IPA server, the client would connect to the attacker's fake server.  The attacker would be able to intercept the credentials from the client, and issue commands to the server using these credentials, with their privilege.  A join initiated by an administrative user would grant the attacker administrative rights to the IPA server, whereas a join initiated by an unprivileged user would only grant the attacker limited privilege (typically just the ability to join the domain).

This issue affects both the manual method (using the ipa-join or ipa-client-install commands [1]) as well as the OTP (One-Time Password, used with Kickstart [2]) method to join an IPA domain.  However, the amount of privilege an attacker could receive with an OTP join is limited because the client IPA system connects to the server as an unprivileged user (all this user can do is join the domain, nothing more)

IMPORTANT NOTE: This was only effective during the intial client join to the realm, because the client did not yet have the CA certificate of the server.  Once an IPA client has joined the realm and has the IPA server's CA certificate, all further communication is secure and a man-in-the-middle attack will not succeed.  This provided a potential attacker with a very small window of opportunity.

To work-around this flaw, using the OTP method using the Kickstart is advised, or, if necessary, using the manual method but ensuring that an unprivileged account is used.

[1] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Installing_the_IPA_Client_on_Linux.html
[2] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kickstart.html


Acknowledgements:

Red Hat would like to thank Petr Menšík for reporting this issue.
Comment 13 Simo Sorce 2012-12-04 08:51:28 EST
Created attachment 657525 [details]
1/4
Comment 14 Simo Sorce 2012-12-04 08:51:55 EST
Created attachment 657526 [details]
2/4
Comment 15 Simo Sorce 2012-12-04 08:52:21 EST
Created attachment 657527 [details]
3/4
Comment 16 Simo Sorce 2012-12-04 08:52:47 EST
Created attachment 657528 [details]
4/4
Comment 20 Vincent Danen 2012-12-18 10:31:24 EST
To work around/mitigate this problem, use an unprivileged user to join to the IPA domain, or use OTP (which can also be used at the commandline, not just during kickstart).
Comment 22 Vincent Danen 2013-01-23 16:20:23 EST
External References:

http://www.freeipa.org/page/CVE-2012-5484
Comment 23 Vincent Danen 2013-01-23 16:22:49 EST
Created freeipa tracking bugs for this issue

Affects: fedora-all [bug 903390]
Comment 24 errata-xmlrpc 2013-01-23 16:37:14 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0188 https://rhn.redhat.com/errata/RHSA-2013-0188.html
Comment 25 errata-xmlrpc 2013-01-23 16:48:00 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0189 https://rhn.redhat.com/errata/RHSA-2013-0189.html
Comment 26 Fedora Update System 2013-02-01 23:23:08 EST
freeipa-3.1.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Jenny Galipeau 2013-07-09 09:34:21 EDT
*** Bug 842873 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.