876307 – (CVE-2012-5484) CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain

Bug 876307 (CVE-2012-5484) - CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain

Summary: CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentia...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-5484
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	842873 (view as bug list)
Depends On:	878217 878218 878219 878220 903390
Blocks:	876369
TreeView+	depends on / blocked

Reported:	2012-11-13 19:04 UTC by Vincent Danen
Modified:	2023-05-11 20:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-23 21:53:19 UTC
Embargoed:

Attachments	(Terms of Use)
1/4 (2.75 KB, patch) 2012-12-04 13:51 UTC, Simo Sorce	no flags	Details \| Diff
2/4 (2.89 KB, patch) 2012-12-04 13:51 UTC, Simo Sorce	no flags	Details \| Diff
3/4 (955 bytes, patch) 2012-12-04 13:52 UTC, Simo Sorce	no flags	Details \| Diff
4/4 (31.68 KB, patch) 2012-12-04 13:52 UTC, Simo Sorce	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0188	0	normal	SHIPPED_LIVE	Important: ipa security update	2013-01-24 02:36:22 UTC
Red Hat Product Errata	RHSA-2013:0189	0	normal	SHIPPED_LIVE	Important: ipa-client security update	2013-01-24 02:46:51 UTC

Description Vincent Danen 2012-11-13 19:04:13 UTC

A weakness was found in the way an IPA client would communicate with an IPA server when attempting to join an IPA domain.

When an IPA client attempted to join an IPA domain, and if an attacker were able to spoof the DNS name of the IPA server, the client would connect to the attacker's fake server.  The attacker would be able to intercept the credentials from the client, and issue commands to the server using these credentials, with their privilege.  A join initiated by an administrative user would grant the attacker administrative rights to the IPA server, whereas a join initiated by an unprivileged user would only grant the attacker limited privilege (typically just the ability to join the domain).

This issue affects both the manual method (using the ipa-join or ipa-client-install commands [1]) as well as the OTP (One-Time Password, used with Kickstart [2]) method to join an IPA domain.  However, the amount of privilege an attacker could receive with an OTP join is limited because the client IPA system connects to the server as an unprivileged user (all this user can do is join the domain, nothing more)

IMPORTANT NOTE: This was only effective during the intial client join to the realm, because the client did not yet have the CA certificate of the server.  Once an IPA client has joined the realm and has the IPA server's CA certificate, all further communication is secure and a man-in-the-middle attack will not succeed.  This provided a potential attacker with a very small window of opportunity.

To work-around this flaw, using the OTP method using the Kickstart is advised, or, if necessary, using the manual method but ensuring that an unprivileged account is used.

[1] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Installing_the_IPA_Client_on_Linux.html
[2] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kickstart.html


Acknowledgements:

Red Hat would like to thank Petr Menšík for reporting this issue.

Comment 13 Simo Sorce 2012-12-04 13:51:28 UTC

Created attachment 657525 [details]
1/4

Comment 14 Simo Sorce 2012-12-04 13:51:55 UTC

Created attachment 657526 [details]
2/4

Comment 15 Simo Sorce 2012-12-04 13:52:21 UTC

Created attachment 657527 [details]
3/4

Comment 16 Simo Sorce 2012-12-04 13:52:47 UTC

Created attachment 657528 [details]
4/4

Comment 20 Vincent Danen 2012-12-18 15:31:24 UTC

To work around/mitigate this problem, use an unprivileged user to join to the IPA domain, or use OTP (which can also be used at the commandline, not just during kickstart).

Comment 22 Vincent Danen 2013-01-23 21:20:23 UTC

External References:

http://www.freeipa.org/page/CVE-2012-5484

Comment 23 Vincent Danen 2013-01-23 21:22:49 UTC

Created freeipa tracking bugs for this issue

Affects: fedora-all [bug 903390]

Comment 24 errata-xmlrpc 2013-01-23 21:37:14 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0188 https://rhn.redhat.com/errata/RHSA-2013-0188.html

Comment 25 errata-xmlrpc 2013-01-23 21:48:00 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0189 https://rhn.redhat.com/errata/RHSA-2013-0189.html

Comment 26 Fedora Update System 2013-02-02 04:23:08 UTC

freeipa-3.1.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Jenny Severance 2013-07-09 13:34:21 UTC

*** Bug 842873 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.