Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22313

Enable Bronze-Bit check only if SIDs are set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-8.10
    • rhel-8.6.0.z, rhel-8.7.0.z, rhel-8.8.0.z, rhel-8.9.0.z, rhel-8.10
    • ipa
    • ipa-4.9.13-6.module+el8.10.0+21338+730b6341
    • None
    • Critical
    • ZStream
    • 3
    • rhel-sst-idm-ipa
    • ssg_idm
    • 24
    • 26
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q1-Bravo-S2, 2024-Q1-Bravo-S3, 2024-Q1-Bravo-S4
    • Approved Blocker
    • Bug Fix
    • Hide
      .Check on the forwardable flag is disabled in cases where SIDs are generated for the domain

      Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket *forwardable* flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task.

      In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4 and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained delegation requests. This includes IdM's HTTP API, which relies on general constrained delegation.

      With this update, the check of the *forwardable* flag is disabled in cases where SIDs were not generated for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue working. However, Red Hat recommends running the SIDs generation task on the domain as soon as possible, especially if the domain has custom general constrained delegation rules configured. Until this is done, the domain remains vulnerable to CVE-2020-17049.
      Show
      .Check on the forwardable flag is disabled in cases where SIDs are generated for the domain Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket *forwardable* flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task. In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4 and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained delegation requests. This includes IdM's HTTP API, which relies on general constrained delegation. With this update, the check of the *forwardable* flag is disabled in cases where SIDs were not generated for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue working. However, Red Hat recommends running the SIDs generation task on the domain as soon as possible, especially if the domain has custom general constrained delegation rules configured. Until this is done, the domain remains vulnerable to CVE-2020-17049.
    • Done
    • None

      The recently released Bronze-Bit detection mechanism relies on the PAC to filter S4U2Proxy requests. However on RHEL8, for the PAC to be present, the impersonated principal need to have an SID.

      It seems that for numerous IPA domains initialized before RHEL 8.5, the SID generation task was never executed, hence PACs are still not generated in tickets. This is a major issue as updating IPA on these domains will cause the HTTP API to stop working, because the API relies on S4U2Proxy, and the Bronze-Bit check needs an evidence ticket with a PAC to accept the request.

      The Bronze-Bit check should be executed only if the IPA domain is able to generate PACs.

            [RHEL-22313] Enable Bronze-Bit check only if SIDs are set

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:3044

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:3044

            Julien Rische added a comment -

            mstubna@redhat.com The release note text looks good to me.

            Julien Rische added a comment - mstubna@redhat.com The release note text looks good to me.

            Michal Stubna added a comment -

            jrische@redhat.com please fill in the Release note text draft under the Documentation tab if you want to a release note. Thanks.

            Michal Stubna added a comment - jrische@redhat.com please fill in the Release note text draft under the Documentation tab if you want to a release note. Thanks.

            Michal Polovka added a comment - - edited

            Verified

             

             

            # # install and configure ipa-server on RHEL8.3
# # upgrade to RHEL8.10 with 
# kinit admin
# ipa ping
--------------------------------------------
IPA server version 4.9.13. API version 2.251
--------------------------------------------
# cat /var/log/krb5kdc.log  | grep SID
Feb 26 03:27:11 vm-xxx.com krb5kdc[3287](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support. 
# ipa-server-upgrade
...
[Enable sidgen and extdom plugins by default]
...
The IPA services were upgraded
The ipa-server-upgrade command was successful  
# ipa ping
--------------------------------------------
IPA server version 4.9.13. API version 2.251
-------------------------------------------- 
# cat /var/log/krb5kdc.log  | grep SID
Feb 26 03:27:11 vm-xxx.com krb5kdc[3287](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support.

             

             

             

            No new warning is generated after enabling SIDgen, therefore marking as verified.

            Michal Polovka added a comment - - edited Verified     # # install and configure ipa-server on RHEL8.3 # # upgrade to RHEL8.10 with # kinit admin # ipa ping -------------------------------------------- IPA server version 4.9.13. API version 2.251 -------------------------------------------- # cat / var /log/krb5kdc.log  | grep SID Feb 26 03:27:11 vm-xxx.com krb5kdc[3287](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support. # ipa-server-upgrade ... [Enable sidgen and extdom plugins by default ] ... The IPA services were upgraded The ipa-server-upgrade command was successful   # ipa ping -------------------------------------------- IPA server version 4.9.13. API version 2.251 -------------------------------------------- # cat / var /log/krb5kdc.log  | grep SID Feb 26 03:27:11 vm-xxx.com krb5kdc[3287](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support.       No new warning is generated after enabling SIDgen, therefore marking as verified.

            Michal Polovka added a comment -

            Pre-verified manually using following steps:

            On RHEL.8.3 machine (to avoid SIDs generation)

            1. install ipa-server
            2. configure ipa-server
            3. upgrade to RHEL8.10

            On RHEL8.10 machine with ipa-server-4.9.13-6.module+el8.10.0+21338+730b6341.x86_64

            # kinit admin
# ipa ping
# cat /var/log/krb5kdc.log  | grep SID
Feb 21 05:53:53 vm-xxx.redhat.com krb5kdc[2074](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support.
# ipa-server-upgrade
# ipa config-mod --enable-sid --add-sids
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: xxx.redhat.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: False
  Certificate Subject base: O=XXX.REDHAT.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
...

# ipa ping
# cat /var/log/krb5kdc.log  | grep SID
(no new warning)

            Marking as passed preliminary testing.

             

             

            Michal Polovka added a comment - Pre-verified manually using following steps: On RHEL.8.3 machine (to avoid SIDs generation) install ipa-server configure ipa-server upgrade to RHEL8.10 On RHEL8.10 machine with ipa-server-4.9.13-6.module+el8.10.0+21338+730b6341.x86_64 # kinit admin # ipa ping # cat / var /log/krb5kdc.log  | grep SID Feb 21 05:53:53 vm-xxx.redhat.com krb5kdc[2074](Warning): MS-PAC not available. This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). Please generate SIDs to enable PAC support. # ipa-server-upgrade # ipa config-mod --enable-sid --add-sids   Maximum username length: 32   Maximum hostname length: 64   Home directory base: /home   Default shell: /bin/sh   Default users group: ipausers   Default e-mail domain: xxx.redhat.com   Search time limit: 2   Search size limit: 100   User search fields: uid,givenname,sn,telephonenumber,ou,title   Group search fields: cn,description   Enable migration mode: False   Certificate Subject base: O=XXX.REDHAT.COM   Password Expiration Notification (days): 4   Password plugin features: AllowNThash, KDC:Disable Last Success   SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023   Default SELinux user: unconfined_u:s0-s0:c0.c1023   Default PAC types: MS-PAC, nfs:NONE ... # ipa ping # cat / var /log/krb5kdc.log  | grep SID (no new warning) Marking as passed preliminary testing.    

            gitlab-bot added a comment -

            Rafael Guterres Jeffman mentioned this issue in a commit of Red Hat / centos-stream / rpms / ipa on branch stream-idm-DL1-rhel-8.10.0:

            ipa-kdb: Fix compilation issues.

            gitlab-bot added a comment - Rafael Guterres Jeffman mentioned this issue in a commit of Red Hat / centos-stream / rpms / ipa on branch stream-idm-DL1-rhel-8.10.0 : ipa-kdb: Fix compilation issues.

            gitlab-bot added a comment -

            Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch stream-idm-DL1-rhel-8.10.0-ipa-4.9.13-5:

            ipa release 4.9.13-5

            gitlab-bot added a comment - Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch stream-idm-DL1-rhel-8.10.0-ipa-4.9.13-5 : ipa release 4.9.13-5

            Florence Renaud added a comment -

            Additional patch required:

            Fixed upstream
            ipa-4-9:
            https://pagure.io/freeipa/c/81aa6ef695838a4b2fb5a53e773ea379a492913d

            Florence Renaud added a comment - Additional patch required: Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/81aa6ef695838a4b2fb5a53e773ea379a492913d

            Florence Renaud added a comment -

            Fixed upstream
            ipa-4-9:
            https://pagure.io/freeipa/c/27b96c17dd51d076e04d97662b7c788658a5094a

            Florence Renaud added a comment - Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/27b96c17dd51d076e04d97662b7c788658a5094a

            Julien Rische added a comment -

            Here is the pull request for the fix:
            https://github.com/freeipa/freeipa/pull/7182

            Julien Rische added a comment - Here is the pull request for the fix: https://github.com/freeipa/freeipa/pull/7182

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: