ipa/SOURCES/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch

311 lines
12 KiB
Diff
Raw Permalink Normal View History

From 67ca47ba4092811029eec02f8af9c34ba7662924 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 9 Oct 2023 15:47:03 +0200
Subject: [PATCH] ipa-kdb: Ensure Bronze-Bit check can be enabled
MIT krb5 1.19 and older do not implement support for PAC ticket
signature to protect the encrypted part of tickets. This is the cause of
the Bronze-Bit vulnerability (CVE-2020-17043). The Bronze-Bit attack
detection mechanism introduced in a847e248 relies on the content of the
PAC.
However, since CVE-2022-37967, the content of the PAC can no longer be
trusted if the KDC does not support PAC extended KDC signature (aka.
PAC full checksum). This signature is supported in MIT krb5 since
version 1.21.
Support for the PAC extended KDC signature was backported downstream to
krb5 1.18.2 for CentOS 8 Stream (dist-git commit 7d215a54). This makes
the content of the PAC still trustworthy there.
This commit disables the Bronze-Bit attack detection mechanism at build
time in case krb5 does not provide the krb5_pac_full_sign_compat()
function.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.h | 4 ++++
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 +++++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 02b2cb631..c6926f7d5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -367,6 +367,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm);
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
/* Try to detect a Bronze-Bit attack based on the content of the request and
* data from the KDB.
*
@@ -379,6 +381,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
bool *detected, const char **status);
+# endif
+#endif
/* DELEGATION CHECKS */
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 1032dff0b..ee0546c01 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -185,11 +185,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code kerr;
kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
if (kerr)
return KRB5KDC_ERR_POLICY;
+# else
+# warning Support for Kerberos PAC extended KDC signature is missing.\
+ This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049).
+# endif
+#endif
*status = NULL;
*lifetime_out = 0;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index b4e22d431..05d5b407d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3299,6 +3299,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
return KRB5_KDB_NOENTRY;
}
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
bool *detected, const char **status)
@@ -3471,3 +3473,5 @@ end:
ipadb_free_principal(context, proxy_entry);
return kerr;
}
+# endif
+#endif
--
2.43.0
From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Jan 26 2024 09:35:57 +0000
Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available
The Bronze-Bit check introduced in commit
a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be
present in the evidence ticket in order for S4U2Proxy requests to be
accepted. This actually requires SIDs to be set.
However, domains that were initialized before commit
e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs
configured. This would results in all S4U2Proxy requests to fail
(including all the HTTP API requests).
This present commit disables the check for the Bronze-Bit exploit
(CVE-2020-17049) in case the domain is not able to generate PACs.
Instead, it prints a warning message in the KDC logs each time a
S4U2Proxy request is processed.
Fixes: https://pagure.io/freeipa/issue/9521
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index c6926f7..621c235 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -370,17 +370,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
/* Try to detect a Bronze-Bit attack based on the content of the request and
- * data from the KDB.
+ * data from the KDB. This check will work only if the domain supports MS-PAC.
*
* context krb5 context
* request KDB request
- * detected Set to "true" if a bronze bit attack is detected and the
- * pointer is not NULL. Remains unset otherwise.
+ * supported If not NULL, set to "false" in case the Bronze-Bit exploit
+ * detection process silently failed to complete because the
+ * domain does not meet requirements. Set to "true" otherwise.
+ * detected If not NULL, set to "true" if a Bronze-Bit attack is detected.
+ * Set to "false" otherwise.
* status If the call fails and the pointer is not NULL, set it with a
* message describing the cause of the failure. */
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
- bool *detected, const char **status);
+ bool *supported, bool *detected,
+ const char **status);
# endif
#endif
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index ee0546c..713e9a0 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -188,10 +188,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code kerr;
+ bool supported;
- kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
+ status);
if (kerr)
return KRB5KDC_ERR_POLICY;
+
+ if (!supported)
+ krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes "
+ "FreeIPA vulnerable to the Bronze-Bit exploit "
+ "(CVE-2020-17049). Please generate SIDs to enable "
+ "PAC support.");
# else
# warning Support for Kerberos PAC extended KDC signature is missing.\
This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049).
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 05d5b40..a18beff 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3303,11 +3303,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
- bool *detected, const char **status)
+ bool *supported, bool *detected,
+ const char **status)
{
krb5_error_code kerr;
const char *st = NULL;
size_t i, j;
+ bool in_supported = true, in_detected = false;
+ struct ipadb_context *ipactx;
krb5_ticket *evidence_tkt;
krb5_authdata **authdata, **ifrel = NULL;
krb5_pac pac = NULL;
@@ -3327,6 +3330,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
goto end;
}
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ kerr = KRB5_KDB_DBNOTINITED;
+ goto end;
+ }
+
+ /* Handle the case where the domain is not able to generate PACs (probably
+ * because SIDs are not set). In this case, we just skip the Bronze-Bit
+ * check. */
+ if (!ipactx->mspac) {
+ in_supported = false;
+ kerr = 0;
+ goto end;
+ }
+
evidence_tkt = request->second_ticket[0];
/* No need to check the Forwardable flag. If it was not set, this request
@@ -3451,8 +3469,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
/* This evidence ticket cannot be forwardable given the privileges
* of the proxy principal.
* This is a Bronze Bit attack. */
- if (detected)
- *detected = true;
+ in_detected = true;
st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
kerr = EBADE;
goto end;
@@ -3464,6 +3481,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
end:
if (st && status)
*status = st;
+ if (supported)
+ *supported = in_supported;
+ if (detected)
+ *detected = in_detected;
krb5_free_authdata(context, ifrel);
krb5_pac_free(context, pac);
From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 9 Feb 2024 16:36:03 +0100
Subject: [PATCH] ipd-kdb: Fix some mistakes in
ipadb_check_for_bronze_bit_attack()
Fixes: https://pagure.io/freeipa/issue/9521
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-kdb/ipa_kdb.h | 3 ++-
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +-
daemons/ipa-kdb/ipa_kdb_mspac.c | 5 +++--
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 621c23591..5de5ea7a5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
* status If the call fails and the pointer is not NULL, set it with a
* message describing the cause of the failure. */
krb5_error_code
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ipadb_check_for_bronze_bit_attack(krb5_context context,
+ const krb5_kdc_req *request,
bool *supported, bool *detected,
const char **status);
# endif
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 713e9a0c8..44959f3de 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -190,7 +190,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
krb5_error_code kerr;
bool supported;
- kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL,
status);
if (kerr)
return KRB5KDC_ERR_POLICY;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 80350364a..886ed7785 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3308,13 +3308,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ipadb_check_for_bronze_bit_attack(krb5_context context,
+ const krb5_kdc_req *request,
bool *supported, bool *detected,
const char **status)
{
krb5_error_code kerr;
const char *st = NULL;
- size_t i, j;
+ size_t i, j = 0;
bool in_supported = true, in_detected = false;
struct ipadb_context *ipactx;
krb5_ticket *evidence_tkt;
--
2.43.0