ID CVE-2016-9575
Summary Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:freeipa:freeipa:4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.2.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:freeipa:freeipa:4.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:freeipa:freeipa:4.4.2:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 09-10-2019 - 23:20)
Impact:
Exploitability:
CWE CWE-285
CAPEC
  • Manipulating Opaque Client-based Data Tokens
    In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
  • Manipulating Web Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Bypassing ATA Password Security
    An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Poison Web Service Registry
    SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Collect Data from Registries
    An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.
  • Using Malicious Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
  • Forceful Browsing
    An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1395311
title CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment ipa-admintools is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001001
        • comment ipa-admintools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111533002
      • AND
        • comment ipa-client is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001003
        • comment ipa-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268008
      • AND
        • comment ipa-client-common is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001005
        • comment ipa-client-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268010
      • AND
        • comment ipa-common is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001007
        • comment ipa-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268014
      • AND
        • comment ipa-python-compat is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001009
        • comment ipa-python-compat is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268022
      • AND
        • comment ipa-server is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001011
        • comment ipa-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268024
      • AND
        • comment ipa-server-common is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001013
        • comment ipa-server-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268026
      • AND
        • comment ipa-server-dns is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001015
        • comment ipa-server-dns is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268028
      • AND
        • comment ipa-server-trust-ad is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001017
        • comment ipa-server-trust-ad is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20194268030
      • AND
        • comment python2-ipaclient is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001019
        • comment python2-ipaclient is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20170001020
      • AND
        • comment python2-ipalib is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001021
        • comment python2-ipalib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20170001022
      • AND
        • comment python2-ipaserver is earlier than 0:4.4.0-14.el7_3.1.1
          oval oval:com.redhat.rhsa:tst:20170001023
        • comment python2-ipaserver is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20170001024
rhsa
id RHSA-2017:0001
released 2017-01-02
severity Moderate
title RHSA-2017:0001: ipa security update (Moderate)
rpms
  • ipa-admintools-0:4.4.0-14.el7_3.1.1
  • ipa-client-0:4.4.0-14.el7_3.1.1
  • ipa-client-common-0:4.4.0-14.el7_3.1.1
  • ipa-common-0:4.4.0-14.el7_3.1.1
  • ipa-debuginfo-0:4.4.0-14.el7_3.1.1
  • ipa-python-compat-0:4.4.0-14.el7_3.1.1
  • ipa-server-0:4.4.0-14.el7_3.1.1
  • ipa-server-common-0:4.4.0-14.el7_3.1.1
  • ipa-server-dns-0:4.4.0-14.el7_3.1.1
  • ipa-server-trust-ad-0:4.4.0-14.el7_3.1.1
  • python2-ipaclient-0:4.4.0-14.el7_3.1.1
  • python2-ipalib-0:4.4.0-14.el7_3.1.1
  • python2-ipaserver-0:4.4.0-14.el7_3.1.1
refmap via4
bid 95068
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1395311
Last major update 09-10-2019 - 23:20
Published 13-03-2018 - 13:29
Last modified 09-10-2019 - 23:20
Back to Top