4.4.2-4: CVE-2016-9575, CVE-2016-7030

Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
  by abusing password policy
This commit is contained in:
Pavel Vomacka 2016-12-14 22:02:29 +01:00 committed by Petr Vobornik
parent 26b01c4688
commit d3389e055a
3 changed files with 234 additions and 1 deletions

View File

@ -0,0 +1,38 @@
From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 15 Nov 2016 14:02:54 +1000
Subject: [PATCH] certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object. When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles. This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
---
ipaserver/plugins/certprofile.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
--- a/ipaserver/plugins/certprofile.py
+++ b/ipaserver/plugins/certprofile.py
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
reason=_('Certificate profiles cannot be renamed'))
if 'file' in options:
+ # ensure operator has permission to update a certprofile
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
+ raise errors.ACIError(info=_(
+ "Insufficient privilege to modify a certificate profile."))
+
with self.api.Backend.ra_certprofile as profile_api:
profile_api.disable_profile(keys[0])
try:
--
2.7.4

View File

@ -0,0 +1,188 @@
From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH] password policy: Add explicit default password policy for
hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
---
install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
install/updates/Makefile.am | 1 +
ipaserver/install/service.py | 1 +
3 files changed, 135 insertions(+)
create mode 100644 install/updates/20-default_password_policy.update
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# kerberos services
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:description: Default Password Policy for Kerberos Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -24,6 +24,7 @@ app_DATA = \
20-winsync_index.update \
20-idoverride_index.update \
20-uuid.update \
+ 20-default_password_policy.update \
21-replicas_container.update \
21-ca_renewal_container.update \
21-certstore_container.update \
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -245,6 +245,7 @@ class Service(object):
# There is no service in the wrong location, nothing to do.
# This can happen when installing a replica
return None
+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
api.Backend.ldap2.delete_entry(entry)
--
2.7.4

View File

@ -38,7 +38,7 @@
Name: freeipa
Version: %{VERSION}
Release: 3%{?dist}
Release: 4%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -49,6 +49,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
Patch0002: 0002-Support-DAL-version-5-and-version-6.patch
Patch0003: 0003-certprofile-mod-correctly-authorise-config-update.patch
Patch0004: 0004-password-policy-Add-explicit-default-password-policy.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.5.6
@ -1476,6 +1478,11 @@ fi
%endif # ONLY_CLIENT
%changelog
* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
* Tue Nov 29 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-3
- Fixes 1389866 krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV