ID CVE-2012-5484
Summary The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the Certification Authority (CA) certificate from the server, which allows man-in-the-middle attackers to spoof a join procedure via a crafted certificate.
References
Vulnerable Configurations
  • Red Hat FreeIPA 2.2.1
    cpe:2.3:a:redhat:freeipa:2.2.1
  • Red Hat FreeIPA 2.1.4
    cpe:2.3:a:redhat:freeipa:2.1.4
  • Red Hat FreeIPA 2.1.3
    cpe:2.3:a:redhat:freeipa:2.1.3
  • Red Hat FreeIPA 2.1.1
    cpe:2.3:a:redhat:freeipa:2.1.1
  • Red Hat FreeIPA 2.1.0
    cpe:2.3:a:redhat:freeipa:2.1.0
  • Red Hat FreeIPA 2.0.1
    cpe:2.3:a:redhat:freeipa:2.0.1
  • Red Hat FreeIPA 2.0.0
    cpe:2.3:a:redhat:freeipa:2.0.0
  • Red Hat FreeIPA 3.1.1
    cpe:2.3:a:redhat:freeipa:3.1.1
  • Red Hat FreeIPA 3.0.2
    cpe:2.3:a:redhat:freeipa:3.0.2
  • Red Hat FreeIPA 3.0.1
    cpe:2.3:a:redhat:freeipa:3.0.1
  • Red Hat FreeIPA 3.0.0
    cpe:2.3:a:redhat:freeipa:3.0.0
CVSS
Base: 7.9 (as of 28-01-2013 - 12:40)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
ADJACENT_NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-2434.NASL
    description Update to upstream 2.2.1 GA. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64855
    published 2013-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64855
    title Fedora 17 : freeipa-2.2.2-1.fc17 (2013-2434)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0189.NASL
    description An updated ipa-client package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. When a fix for this flaw has been applied to the client but not yet the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa-client are advised to upgrade to this updated package, which corrects this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 63673
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63673
    title CentOS 5 : ipa-client (CESA-2013:0189)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0189.NASL
    description From Red Hat Security Advisory 2013:0189 : An updated ipa-client package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. When a fix for this flaw has been applied to the client but not yet the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa-client are advised to upgrade to this updated package, which corrects this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68715
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68715
    title Oracle Linux 5 : ipa-client (ELSA-2013-0189)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0188.NASL
    description Updated ipa packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. This update must be installed on both the IPA client and IPA server. When this update has been applied to the client but not the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa are advised to upgrade to these updated packages, which correct this issue. After installing the update, changes in LDAP are handled by ipa-ldap-updater automatically and are effective immediately.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 63675
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63675
    title RHEL 6 : ipa (RHSA-2013:0188)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0188.NASL
    description Updated ipa packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. This update must be installed on both the IPA client and IPA server. When this update has been applied to the client but not the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa are advised to upgrade to these updated packages, which correct this issue. After installing the update, changes in LDAP are handled by ipa-ldap-updater automatically and are effective immediately.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64081
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64081
    title CentOS 6 : ipa (CESA-2013:0188)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0189.NASL
    description An updated ipa-client package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. When a fix for this flaw has been applied to the client but not yet the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa-client are advised to upgrade to this updated package, which corrects this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 63676
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63676
    title RHEL 5 : ipa-client (RHSA-2013:0189)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1445.NASL
    description Update to upstream 3.1.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 64419
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64419
    title Fedora 18 : freeipa-3.1.2-1.fc18 (2013-1445)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130123_IPA_CLIENT_ON_SL5_X.NASL
    description A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). When a fix for this flaw has been applied to the client but not yet the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 64090
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64090
    title Scientific Linux Security Update : ipa-client on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0188.NASL
    description From Red Hat Security Advisory 2013:0188 : Updated ipa packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Mensik for reporting this issue. This update must be installed on both the IPA client and IPA server. When this update has been applied to the client but not the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa are advised to upgrade to these updated packages, which correct this issue. After installing the update, changes in LDAP are handled by ipa-ldap-updater automatically and are effective immediately.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68714
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68714
    title Oracle Linux 6 : ipa (ELSA-2013-0188)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130123_IPA_ON_SL6_X.NASL
    description A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). This update must be installed on both the IPA client and IPA server. When this update has been applied to the client but not the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the '--force' option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. After installing the update, changes in LDAP are handled by ipa-ldap-updater automatically and are effective immediately.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 64091
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64091
    title Scientific Linux Security Update : ipa on SL6.x i386/x86_64
redhat via4
advisories
  • bugzilla
    id 876307
    title CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment ipa-admintools is earlier than 0:2.2.0-17.el6_3.1
          oval oval:com.redhat.rhsa:tst:20130188005
        • comment ipa-admintools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533006
      • AND
        • comment ipa-client is earlier than 0:2.2.0-17.el6_3.1
          oval oval:com.redhat.rhsa:tst:20130188007
        • comment ipa-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533010
      • AND
        • comment ipa-python is earlier than 0:2.2.0-17.el6_3.1
          oval oval:com.redhat.rhsa:tst:20130188009
        • comment ipa-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533008
      • AND
        • comment ipa-server is earlier than 0:2.2.0-17.el6_3.1
          oval oval:com.redhat.rhsa:tst:20130188013
        • comment ipa-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533012
      • AND
        • comment ipa-server-selinux is earlier than 0:2.2.0-17.el6_3.1
          oval oval:com.redhat.rhsa:tst:20130188011
        • comment ipa-server-selinux is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533014
    rhsa
    id RHSA-2013:0188
    released 2013-01-23
    severity Important
    title RHSA-2013:0188: ipa security update (Important)
  • bugzilla
    id 876307
    title CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment ipa-client is earlier than 0:2.1.3-5.el5_9.2
      oval oval:com.redhat.rhsa:tst:20130189002
    • comment ipa-client is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20130189003
    rhsa
    id RHSA-2013:0189
    released 2013-01-23
    severity Important
    title RHSA-2013:0189: ipa-client security update (Important)
rpms
  • ipa-admintools-0:2.2.0-17.el6_3.1
  • ipa-client-0:2.2.0-17.el6_3.1
  • ipa-python-0:2.2.0-17.el6_3.1
  • ipa-server-0:2.2.0-17.el6_3.1
  • ipa-server-selinux-0:2.2.0-17.el6_3.1
  • ipa-client-0:2.1.3-5.el5_9.2
refmap via4
confirm
Last major update 07-02-2013 - 00:01
Published 27-01-2013 - 13:55
Back to Top