Bug 1992149 (CVE-2021-3698) - CVE-2021-3698 cockpit: authenticates with revoked certificates
Summary: CVE-2021-3698 cockpit: authenticates with revoked certificates
Alias: CVE-2021-3698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1992432 Red Hat1992620 Engineering1993783 1998513 Red Hat2005344
Blocks: Embargoed1988484 Red Hat1992150
TreeView+ depends on / blocked
Reported: 2021-08-10 16:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 09:46 UTC (History)
19 users (show)

Fixed In Version: cockpit 260
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Last Closed: 2022-05-11 07:46:57 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github cockpit-project cockpit pull 16703 0 None open session: Validate client certificates against sssd's trusted CA 2021-12-09 15:08:34 UTC
Red Hat Product Errata RHSA-2022:2008 0 None None None 2022-05-10 14:54:00 UTC

Description Guilherme de Almeida Suckevicz 2021-08-10 16:30:23 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.

Comment 4 gkamathe 2021-08-17 16:33:02 UTC
(1) This is not currently a supported use case. The documentation [0] warns that cockpit doesn't do any meaningful verification of the certificate (it does reject expired ones, but no CA/CRL). This behaviour is not a secret, so it might be beneficial to make this unembargoed, to have a pointer for other affected users.

(2) Fixing this properly requires adding a validation D-Bus API to sssd [1]. I filed bug 1992432 for tracking this.

[0] https://cockpit-project.org/guide/latest/cert-authentication.html
[1] https://github.com/SSSD/sssd/issues/5224

Comment 7 Sandipan Roy 2021-08-27 12:49:25 UTC
Created cockpit tracking bugs for this issue:

Affects: fedora-all [bug 1998513]

Comment 8 Sandro Bonazzola 2021-08-27 13:15:40 UTC
Is this going to be fixed for RHEL 7? I'm asking because we got a tracker opened on RHV-M 4.3 (Engineeringbug #1993783 ) which is cross-shipping cockpit from RHEL 7 and if it's not going to be fixed there we should close it as well for RHV-M.

Comment 9 Martin Pitt 2021-08-27 14:35:39 UTC
Sandro: No, it does not affect RHEL 7, the certificate auth functionality is RHEL 8/9 only (introduced in version 208, and RHEL 7 has Cockpit 195).

Comment 11 Martin Pitt 2021-12-09 15:08:35 UTC
With sssd 2.6.1 now being available in at least Fedora 35 and Debian testing, I worked on using this new API in Cockpit: https://github.com/cockpit-project/cockpit/pull/16703

This includes integration tests and documentation, and falling back to the pre-2.6.1 API (where only full binary matching is supported). Review much appreciated!

Thanks again to the sssd team, in particular Iker Pedrosa, for adding the validation API!

As this breaks existing systems on upgrades, I add Lucie to CC: you now *have* to configure a CA in sssd for cert logins to work, and unfortunately `realm join` does not do this automatically for IPA. The upstream release note (in the PR, going to be in the release blog) and the upstream docs (once the PR lands) have the details.

Comment 14 errata-xmlrpc 2022-05-10 14:53:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2008 https://access.redhat.com/errata/RHSA-2022:2008

Comment 15 Product Security DevOps Team 2022-05-11 07:46:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.