Bug 1746944 (CVE-2019-14826) - CVE-2019-14826 ipa: Session not terminated after logout
Summary: CVE-2019-14826 ipa: Session not terminated after logout
Keywords:
Status: NEW
Alias: CVE-2019-14826
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1749185 1749186 1752710
Blocks: 1746948
TreeView+ depends on / blocked
 
Reported: 2019-08-29 14:48 UTC by Pedro Sampaio
Modified: 2019-09-24 02:34 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-08-29 14:48:44 UTC
A flaw was found in FreeIPA. Old session cookies can be reused after logout leading to session stealing.

Comment 1 Doran Moppert 2019-09-05 00:14:30 UTC
This vulnerability was introduced upstream in commit b895f4a3, which addressed https://fedorahosted.org/freeipa/ticket/6682.  Since that commit, freeipa would ask the client to delete the cookie but retain it in the server-side ccache until it naturally expired.

Comment 2 Doran Moppert 2019-09-05 00:28:01 UTC
The session cookie is highly sensitive information while the session is active, since it can be used to impersonate the user.  It is possible that applications may treat cookies of logged-out sessions more casually, expecting the cookie to no longer be recognised by the server.  Good practice would be to completely erase the cookie client side, or at least never store it with less care than while it is valid, but some applications may fail to do that or save the cookie in a debug log after logout.  Depending on how long the cookie remains valid in the server's ccache, this represents an opportunity for a third party to obtain and re-use the "expired" cookie.

Comment 5 Doran Moppert 2019-09-17 04:24:47 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1752710]

Comment 6 Simo Sorce 2019-09-17 12:50:44 UTC
Hi Doran,
I want to put on the record that I contest the characterization of this bug.

The system works as design and rely on timeouts and browsers not leaking cookies like countless websites do.

Browsers do remove cookies when told, if other applications do not properly handle their access tokens, it is those applications fault, they could as well leak TGTs or passwords, still doesn't make it a server problem.

Comment 10 Doran Moppert 2019-09-20 00:21:02 UTC
(In reply to Simo Sorce from comment #6)
> Hi Doran,
> I want to put on the record that I contest the characterization of this bug.

Thanks Simo.  I think your objection has merit, the attack scenario described in comment 2 requires more than a few misbehaving components beyond IPA.  I'll seek counsel in prodsec about which side of the hardening/vulnerability line this belongs.

Comment 11 Doran Moppert 2019-09-24 02:34:18 UTC
Consensus from Product Security is that this should be tracked as a CVE as while the risk is very small, it is a genuine vulnerability.  Standard browsers will delete the cookie on request, but in the abstract sense a client hitting the logout endpoint on the server is requesting that its token be invalidated, which is not happening here.

Hopefully the Statement makes this clear on CVE pages; I don't think users should be concerned about this issue *unless* they are doing unusual things with automation etc, in which case they need to know their client applications must treat invalidated credentials as still sensitive.

Comment 12 Doran Moppert 2019-09-24 02:34:21 UTC
Statement:

In order to exploit this flaw, an attacker would need to obtain a user's session cookie after the user has logged out but before the server-side credential cache expires. Typically, this will not be possible because browsers protect the cookie while it is valid and delete it immediately as instructed by the server on logout. In order to be exposed to this vulnerability, one would need to be accessing FreeIPA in a non-standard fashion with an insecure web browser or a client application that stores and shares excessive debugging information. Most users of FreeIPA will not be at risk from this flaw.


Note You need to log in before you can comment on or make changes to this bug.