ID CVE-2012-4546
Summary The default configuration for IPA servers in Red Hat Enterprise Linux 6, when revoking a certificate from an Identity Management replica, does not properly update another Identity Management replica, which causes inconsistent Certificate Revocation Lists (CRLs) to be used and might allow remote attackers to bypass intended access restrictions via a revoked certificate.
References
Vulnerable Configurations
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
CVSS
Base: 4.3 (as of 03-04-2013 - 08:44)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1445.NASL
    description Update to upstream 3.1.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64419
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64419
    title Fedora 18 : freeipa-3.1.2-1.fc18 (2013-1445)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0528.NASL
    description Updated ipa packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL; however, this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica. (CVE-2012-4546) These updated ipa packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. Users are advised to upgrade to these updated ipa packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 64773
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64773
    title RHEL 6 : ipa (RHSA-2013:0528)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130221_IPA_ON_SL6_X.NASL
    description It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL; however, this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica. (CVE-2012-4546)
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 65012
    published 2013-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65012
    title Scientific Linux Security Update : ipa on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0528.NASL
    description From Red Hat Security Advisory 2013:0528 : Updated ipa packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL; however, this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica. (CVE-2012-4546) These updated ipa packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. Users are advised to upgrade to these updated ipa packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68762
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68762
    title Oracle Linux 6 : ipa (ELSA-2013-0528)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0528.NASL
    description Updated ipa packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL; however, this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica. (CVE-2012-4546) These updated ipa packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. Users are advised to upgrade to these updated ipa packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65157
    published 2013-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65157
    title CentOS 6 : ipa (CESA-2013:0528)
redhat via4
advisories
bugzilla
id 905594
title Unable to install ipa-server-trust-ad pkg on 32-bit platform
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment ipa-admintools is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528007
      • comment ipa-admintools is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111533006
    • AND
      • comment ipa-client is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528005
      • comment ipa-client is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111533010
    • AND
      • comment ipa-python is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528009
      • comment ipa-python is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111533008
    • AND
      • comment ipa-server is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528011
      • comment ipa-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111533012
    • AND
      • comment ipa-server-selinux is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528013
      • comment ipa-server-selinux is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111533014
    • AND
      • comment ipa-server-trust-ad is earlier than 0:3.0.0-25.el6
        oval oval:com.redhat.rhsa:tst:20130528015
      • comment ipa-server-trust-ad is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20130528016
rhsa
id RHSA-2013:0528
released 2013-02-21
severity Low
title RHSA-2013:0528: ipa security, bug fix and enhancement update (Low)
rpms
  • ipa-admintools-0:3.0.0-25.el6
  • ipa-client-0:3.0.0-25.el6
  • ipa-python-0:3.0.0-25.el6
  • ipa-server-0:3.0.0-25.el6
  • ipa-server-selinux-0:3.0.0-25.el6
  • ipa-server-trust-ad-0:3.0.0-25.el6
refmap via4
Last major update 03-04-2013 - 00:00
Published 02-04-2013 - 20:55
Last modified 22-04-2019 - 13:48
Back to Top