1351593 – (CVE-2016-5404) CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation

Bug 1351593 (CVE-2016-5404) - CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation

Summary: CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-5404
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1366979 1366980 1366981 1366982 1367883
Blocks:	1351595
TreeView+	depends on / blocked

Reported:	2016-06-30 11:54 UTC by Andrej Nemec
Modified:	2021-02-17 03:38 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-09-01 14:11:59 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for ipa-4.4 (5.45 KB, patch) 2016-08-01 12:34 UTC, Fraser Tweedale	no flags	Details \| Diff
Patch for ipa-4.3 (4.63 KB, patch) 2016-08-01 12:35 UTC, Fraser Tweedale	no flags	Details \| Diff
Patch for ipa-4.2 (4.63 KB, patch) 2016-08-01 12:35 UTC, Fraser Tweedale	no flags	Details \| Diff
Patch for ipa-4.1 (4.67 KB, patch) 2016-08-01 12:36 UTC, Fraser Tweedale	no flags	Details \| Diff
Patch for ipa-3.0 AND ipa-2.1 (4.71 KB, patch) 2016-08-01 12:38 UTC, Fraser Tweedale	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1797	0	normal	SHIPPED_LIVE	Moderate: ipa security update	2016-09-01 17:57:02 UTC

Description Andrej Nemec 2016-06-30 11:54:16 UTC

Summary: a user with 'retrieve certificate' permission can revoke
any certificate.  The 'revoke certificate' permission is not
required.

Detail: the 'cert_revoke' command does check for the 'revoke
certificate' permission, however, if an access error is raised, it
then invokes the 'cert_show' command.  The rational was to re-use a
"self-service" check that is part of the 'cert_show' command,
however, it is sufficient that 'cert_show' execute successfully for
'cert_revoke' to recover from the access error and continue.
Therefore, anyone with 'retrieve certificate' permission can revoke
*any* certificate.

Impact: anyone with 'retrieve certificate' permission can cause
various kinds of DoS by revoking any cert they want.

Scope: Every supported versions of RHEL with IDM are affected.

Comment 1 Andrej Nemec 2016-06-30 11:54:21 UTC

Acknowledgments:

Name: Fraser Tweedale (Red Hat)

Comment 16 Cedric Buissart 2016-08-17 17:25:01 UTC

Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1367883]

Comment 17 Fedora Update System 2016-08-29 18:54:00 UTC

freeipa-4.3.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 errata-xmlrpc 2016-09-01 13:58:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1797 https://rhn.redhat.com/errata/RHSA-2016-1797.html

Note You need to log in before you can comment on or make changes to this bug.