CVE-2016-9575
CVSS6.5
发布时间 :2018-03-13 09:29:00
修订时间 :2018-04-13 10:48:31
NMPS    

[原文]Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-285 [授权机制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:freeipa:freeipa:4.2.0
cpe:/a:freeipa:freeipa:4.2.0:alpha1
cpe:/a:freeipa:freeipa:4.2.1
cpe:/a:freeipa:freeipa:4.2.2
cpe:/a:freeipa:freeipa:4.2.3
cpe:/a:freeipa:freeipa:4.2.4
cpe:/a:freeipa:freeipa:4.3.0
cpe:/a:freeipa:freeipa:4.3.1
cpe:/a:freeipa:freeipa:4.3.2
cpe:/a:freeipa:freeipa:4.4.0
cpe:/a:freeipa:freeipa:4.4.1
cpe:/a:freeipa:freeipa:4.4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9575
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9575
(官方数据源) NVD

- 其它链接及资源

http://rhn.redhat.com/errata/RHSA-2017-0001.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2017:0001
http://www.securityfocus.com/bid/95068
(VENDOR_ADVISORY)  BID  95068
https://bugzilla.redhat.com/show_bug.cgi?id=1395311
(VENDOR_ADVISORY)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=1395311

- 漏洞信息 (F140324)

Red Hat Security Advisory 2017-0001-01 (PacketStormID:F140324)
2017-01-02 00:00:00
Red Hat  
advisory,remote,denial of service
linux,redhat
CVE-2016-7030,CVE-2016-9575
[点击下载]

Red Hat Security Advisory 2017-0001-01 - Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: It was discovered that the default IdM password policies that lock out accounts after a certain number of failed login attempts were also applied to host and service accounts. A remote unauthenticated user could use this flaw to cause a denial of service attack against kerberized services.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: ipa security update
Advisory ID:       RHSA-2017:0001-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0001.html
Issue date:        2017-01-02
CVE Names:         CVE-2016-7030 CVE-2016-9575 
=====================================================================

1. Summary:

An update for ipa is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.

Security Fix(es):

* It was discovered that the default IdM password policies that lock out
accounts after a certain number of failed login attempts were also applied
to host and service accounts. A remote unauthenticated user could use this
flaw to cause a denial of service attack against kerberized services.
(CVE-2016-7030)

* It was found that IdM's certprofile-mod command did not properly check
the user's permissions while modifying certificate profiles. An
authenticated, unprivileged attacker could use this flaw to modify profiles
to issue certificates with arbitrary naming or key usage information and
subsequently use such certificates for other attacks. (CVE-2016-9575)

The CVE-2016-7030 issue was discovered by Petr Spacek (Red Hat) and the
CVE-2016-9575 issue was discovered by Liam Campbell (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy
1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
ipa-4.4.0-14.el7_3.1.1.src.rpm

noarch:
ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm

x86_64:
ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm

x86_64:
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ipa-4.4.0-14.el7_3.1.1.src.rpm

noarch:
ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm

x86_64:
ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm

x86_64:
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ipa-4.4.0-14.el7_3.1.1.src.rpm

aarch64:
ipa-client-4.4.0-14.el7_3.1.1.aarch64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.aarch64.rpm

noarch:
ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm

ppc64:
ipa-client-4.4.0-14.el7_3.1.1.ppc64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.ppc64.rpm

ppc64le:
ipa-client-4.4.0-14.el7_3.1.1.ppc64le.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.ppc64le.rpm

s390x:
ipa-client-4.4.0-14.el7_3.1.1.s390x.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.s390x.rpm

x86_64:
ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ipa-4.4.0-14.el7_3.1.1.src.rpm

noarch:
ipa-admintools-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-client-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-python-compat-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-common-4.4.0-14.el7_3.1.1.noarch.rpm
ipa-server-dns-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaclient-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipalib-4.4.0-14.el7_3.1.1.noarch.rpm
python2-ipaserver-4.4.0-14.el7_3.1.1.noarch.rpm

x86_64:
ipa-client-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-debuginfo-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-4.4.0-14.el7_3.1.1.x86_64.rpm
ipa-server-trust-ad-4.4.0-14.el7_3.1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-7030
https://access.redhat.com/security/cve/CVE-2016-9575
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYajgnXlSAg2UNWIIRAuijAJ4gXTGTMPQiEmlXks0jn+TZ1vhEzgCgmcJt
DGQauZp1jzO249TxyXk0qfg=
=Hozf
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

FreeIPA CVE-2016-9575 Insecure File Permissions Vulnerability
Design Error 95068
Yes No
2016-12-22 12:00:00 2016-12-23 12:02:00
Liam Campbell (Red Hat)

- 受影响的程序版本

Redhat Freeipa 4.4
Redhat Freeipa 4.3
Redhat Freeipa 4.2.0.0

- 漏洞讨论

FreeIPA is prone to an insecure file-permissions vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站