Bug 2020575 (CVE-2021-42096) - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack
Summary: CVE-2021-42096 mailman: CSRF token derived from admin password allows offline...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-42096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020576 2020577 2020666 2021136 2021137 2021138 2021139
Blocks: 2020570
TreeView+ depends on / blocked
 
Reported: 2021-11-05 10:13 UTC by Marian Rehak
Modified: 2021-11-24 09:09 UTC (History)
5 users (show)

Fixed In Version: mailman 2.1.35
Doc Type: If docs needed, set a value
Doc Text:
Sensitive information is exposed to unprivileged users in mailman. The hash of the list admin password is used to derive the CSRF (Cross-site Request Forgery) token, which is exposed to unprivileged members of a list. Malicious members may use the CSRF token to perform an offline brute-force attack to retrieve the list admin password.
Clone Of:
Environment:
Last Closed: 2021-11-24 09:09:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4826 0 None None None 2021-11-23 20:34:34 UTC
Red Hat Product Errata RHSA-2021:4837 0 None None None 2021-11-24 08:32:45 UTC
Red Hat Product Errata RHSA-2021:4838 0 None None None 2021-11-24 08:30:12 UTC
Red Hat Product Errata RHSA-2021:4839 0 None None None 2021-11-24 08:36:42 UTC

Description Marian Rehak 2021-11-05 10:13:15 UTC
A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

External Reference:

http://www.openwall.com/lists/oss-security/2021/10/21/4

Comment 1 Marian Rehak 2021-11-05 10:14:01 UTC
Created mailman tracking bugs for this issue:

Affects: fedora-33 [bug 2020576]
Affects: fedora-34 [bug 2020577]

Comment 2 Riccardo Schirone 2021-11-05 11:35:56 UTC
Upstream patch:
https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1873

Comment 3 Riccardo Schirone 2021-11-05 12:03:12 UTC
The csrf_token is computed in function csrf_token() of CSRFcheck.py file:
```
def csrf_token(mlist, contexts, user=None):
    """ create token by mailman cookie generation algorithm """

    for context in contexts:
        key, secret = mlist.AuthContextInfo(context, user)
        if key:
            break
    else:
        return None     # not authenticated
    issued = int(time.time())
    mac = sha_new(secret + `issued`).hexdigest()
    keymac = '%s:%s' % (key, mac)
    token = binascii.hexlify(marshal.dumps((issued, keymac)))
    return token
```

When creating an HTML form in a page accessible to a list member, this function is used to compute the token placed in a hidden input field in the form, however the first context passed to it is mm_cfg.AuthListAdmin, thus the csrf_token is created based on the list admin password.

Any member of the list can thus extract the `mac` part of the token which is computed as a SHA1 of the admin' secret(password) plus the time when the token was generated. This data could be used by a malicious user to crack the password of the admin user offline.

Comment 5 Riccardo Schirone 2021-11-05 13:57:18 UTC
Confidentiality set to Low because the exposed information is just the SHA1 of the list admin password concatenated with the time when the token was created. Having access to the hash does not pose an immediate risk to mailman.

Comment 6 Riccardo Schirone 2021-11-05 14:43:08 UTC
Although RHEL 6 and RHEL 7 have support for CSRF tokens they are just used for admin pages. Indeed the csrf_token() function is called only in the Form class defined in htmlformat.py, which is used without any context when dealing with regular member pages. Thus no token is generated and no SHA1 of the admin password can be leaked.

Comment 8 errata-xmlrpc 2021-11-23 20:34:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4826 https://access.redhat.com/errata/RHSA-2021:4826

Comment 9 errata-xmlrpc 2021-11-24 08:30:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:4838 https://access.redhat.com/errata/RHSA-2021:4838

Comment 10 errata-xmlrpc 2021-11-24 08:32:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:4837 https://access.redhat.com/errata/RHSA-2021:4837

Comment 11 errata-xmlrpc 2021-11-24 08:36:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2021:4839 https://access.redhat.com/errata/RHSA-2021:4839

Comment 12 Product Security DevOps Team 2021-11-24 09:09:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-42096


Note You need to log in before you can comment on or make changes to this bug.