Bug 1726223 (CVE-2019-10195) - CVE-2019-10195 ipa: Batch API logging user passwords to /var/log/httpd/error_log
Summary: CVE-2019-10195 ipa: Batch API logging user passwords to /var/log/httpd/error_log
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10195
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1728123 1728124 1728125 1776939 1777147 1777252 1777303 1803828
Blocks: 1723319
TreeView+ depends on / blocked
 
Reported: 2019-07-02 11:10 UTC by msiddiqu
Modified: 2023-03-24 15:01 UTC (History)
23 users (show)

Fixed In Version: FreeIPA 4.6.7, FreeIPA 4.7.4, FreeIPA 4.8.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
Clone Of:
Environment:
Last Closed: 2020-02-04 20:09:36 UTC
Embargoed:


Attachments (Terms of Use)
Candidate patch (5.66 KB, patch)
2019-07-03 15:28 UTC, Rob Crittenden
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0378 0 None None None 2020-02-04 19:32:15 UTC
Red Hat Product Errata RHSA-2020:1269 0 None None None 2020-04-01 09:30:01 UTC

Description msiddiqu 2019-07-02 11:10:43 UTC
FreeIPA's batch API logs user passwords to /var/log/httpd/error_log. When the actual command is processed, the passwords get masked out, however when the batch command is logged it logs all parameters of the sub-commands including the sensitive ones.

Comment 2 Rob Crittenden 2019-07-03 15:28:48 UTC
Created attachment 1587101 [details]
Candidate patch

Comment 3 Florence Blanc-Renaud 2019-07-04 07:42:25 UTC
Patch tested successfully. I also ran the ipatests/test_xmlrpc/test_batch_plugin.py tests without any issue.

Example of output in /var/log/httpd/error_log when running in batch "ipa group_find" and "ipa passwd test SecretPwd":

ipa: DEBUG: raw: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: batch(group_find(None), passwd('test', '********', None))
ipa: DEBUG: raw: group_find(None, version='2.233')
ipa: DEBUG: group_find(None, private=False, posix=False, external=False, nonposix=False, all=False, raw=False, version='2.233', no_members=True, pkey_only=False)
ipa: INFO: admin: batch: group_find(None): SUCCESS
ipa: DEBUG: raw: passwd('test', '********', None, version='2.233')
ipa: DEBUG: passwd(ipapython.kerberos.Principal('test'), '********', '********', version='2.233')
ipa: INFO: admin: batch: passwd('test', '********', None): SUCCESS
ipa: INFO: [jsonserver_kerb] admin: batch(group_find(None), passwd('test', '********', None)): SUCCESS

Comment 4 Rob Crittenden 2019-07-05 15:23:38 UTC
How should we go about releasing this? Is the upstream reporter going to disclose this at some point?

Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 matter? It is almost certainly affected too.

Is a CVE going to be assigned?

Comment 5 Jamison Bennett 2019-07-05 19:30:54 UTC
(In reply to Rob Crittenden from comment #4)
> How should we go about releasing this? Is the upstream reporter going to
> disclose this at some point?

I am the reporter of this, so I can answer part of your questions. I do not have plans to disclose this. I look forward to using the batch API when RedHat releases this fix. Your patch is better than the one I originally provided with the report because it logs more information than the original one did. Thanks.

> 
> Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> matter? It is almost certainly affected too.
> 
> Is a CVE going to be assigned?

Comment 6 Huzaifa S. Sidhpurwala 2019-07-08 06:52:17 UTC
In reply to comment #4:
> How should we go about releasing this? Is the upstream reporter going to
> disclose this at some point?
> 
> Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> matter? It is almost certainly affected too.
> 
This is rated as having moderate impact, so we will create unacked trackers for rhel-7/8. We dont plan to fix this for rhel-6 though. 
> Is a CVE going to be assigned?

We will assign a cve id to this.

Comment 11 Huzaifa S. Sidhpurwala 2019-07-11 04:03:34 UTC
In reply to comment #5:
> (In reply to Rob Crittenden from comment #4)
> > How should we go about releasing this? Is the upstream reporter going to
> > disclose this at some point?
> 
> I am the reporter of this, so I can answer part of your questions. I do not
> have plans to disclose this. I look forward to using the batch API when
> RedHat releases this fix. Your patch is better than the one I originally
> provided with the report because it logs more information than the original
> one did. Thanks.
> 
> > 
> > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6
> > matter? It is almost certainly affected too.
> > 
> > Is a CVE going to be assigned?

Hi Jamison,

Since you reported this flaw, we would like to acknowledge you as the reporter. Are you ok with using your name "Jamison Bennett" as the reporter? or would you like something like "Jamison Bennett of Cloudera" ?

Please let us know.

Comment 12 Jamison Bennett 2019-07-11 13:38:38 UTC
HI Huzaifa,

Yes, that would be awesome to use something like "Jamison Bennett of Cloudera". Thank you for checking.

Thanks,
Jamison

Comment 13 Huzaifa S. Sidhpurwala 2019-07-15 06:44:11 UTC
Acknowledgments:

Name: Jamison Bennett (Cloudera)

Comment 16 Doran Moppert 2019-07-16 04:35:54 UTC
Statement:

This vulnerability exists in the server component of FreeIPA. Client packages are not affected.

Comment 21 Alexander Bokovoy 2019-11-26 13:47:33 UTC
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.

Comment 23 Huzaifa S. Sidhpurwala 2019-11-27 02:51:12 UTC
Upstream commit: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0

Comment 24 Huzaifa S. Sidhpurwala 2019-11-27 02:51:45 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1777147]

Comment 34 errata-xmlrpc 2020-02-04 19:32:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378

Comment 35 Product Security DevOps Team 2020-02-04 20:09:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10195

Comment 38 errata-xmlrpc 2020-04-01 09:29:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269


Note You need to log in before you can comment on or make changes to this bug.