2020575 – (CVE-2021-42096) CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack

Bug 2020575 (CVE-2021-42096) - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack

Summary: CVE-2021-42096 mailman: CSRF token derived from admin password allows offline...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-42096
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2020576 2020577 Red Hat2020666 Red Hat2021136 Red Hat2021137 Red Hat2021138 Red Hat2021139
Blocks:	Embargoed2020570
TreeView+	depends on / blocked

Reported:	2021-11-05 10:13 UTC by Marian Rehak
Modified:	2021-11-24 09:09 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mailman 2.1.35
Doc Type:	If docs needed, set a value
Doc Text:	Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF (Cross-site Request Forgery) token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack to retrieve the list admin password.
Clone Of:
Environment:
Last Closed:	2021-11-24 09:09:08 UTC

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4826	None	None	None	2021-11-23 20:34:34 UTC
Red Hat Product Errata	RHSA-2021:4837	None	None	None	2021-11-24 08:32:45 UTC
Red Hat Product Errata	RHSA-2021:4838	None	None	None	2021-11-24 08:30:12 UTC
Red Hat Product Errata	RHSA-2021:4839	None	None	None	2021-11-24 08:36:42 UTC

Description Marian Rehak 2021-11-05 10:13:15 UTC

A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

External Reference:

http://www.openwall.com/lists/oss-security/2021/10/21/4

Comment 1 Marian Rehak 2021-11-05 10:14:01 UTC

Created mailman tracking bugs for this issue:

Affects: fedora-33 [bug 2020576]
Affects: fedora-34 [bug 2020577]

Comment 2 Riccardo Schirone 2021-11-05 11:35:56 UTC

Upstream patch:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

Comment 3 Riccardo Schirone 2021-11-05 12:03:12 UTC

The csrf_token is computed in function csrf_token() of CSRFcheck.py file:
```
def csrf_token(mlist, contexts, user=None):
    """ create token by mailman cookie generation algorithm """

    for context in contexts:
        key, secret = mlist.AuthContextInfo(context, user)
        if key:
            break
    else:
        return None     # not authenticated
    issued = int(time.time())
    mac = sha_new(secret + `issued`).hexdigest()
    keymac = '%s:%s' % (key, mac)
    token = binascii.hexlify(marshal.dumps((issued, keymac)))
    return token
```

When creating an HTML form in a page accessible to a list member, this function is used to compute the token placed in a hidden input field in the form, however the first context passed to it is mm_cfg.AuthListAdmin, thus the csrf_token is created based on the list admin password.

Any member of the list can thus extract the `mac` part of the token which is computed as a SHA1 of the admin' secret(password) plus the time when the token was generated. This data could be used by a malicious user to crack the password of the admin user offline.

Comment 5 Riccardo Schirone 2021-11-05 13:57:18 UTC

Confidentiality set to Low because the exposed information is just the SHA1 of the list admin password concatenated with the time when the token was created. Having access to the hash does not pose an immediate risk to mailman.

Comment 6 Riccardo Schirone 2021-11-05 14:43:08 UTC

Although RHEL 6 and RHEL 7 have support for CSRF tokens they are just used for admin pages. Indeed the csrf_token() function is called only in the Form class defined in htmlformat.py, which is used without any context when dealing with regular member pages. Thus no token is generated and no SHA1 of the admin password can be leaked.

Comment 8 errata-xmlrpc 2021-11-23 20:34:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826

Comment 9 errata-xmlrpc 2021-11-24 08:30:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838

Comment 10 errata-xmlrpc 2021-11-24 08:32:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837

Comment 11 errata-xmlrpc 2021-11-24 08:36:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839

Comment 12 Product Security DevOps Team 2021-11-24 09:09:06 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42096

Note You need to log in before you can comment on or make changes to this bug.