Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22313

Enable Bronze-Bit check only if SIDs are set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-8.10
    • rhel-8.6.0.z, rhel-8.7.0.z, rhel-8.8.0.z, rhel-8.9.0.z, rhel-8.10
    • ipa
    • ipa-4.9.13-6.module+el8.10.0+21338+730b6341
    • None
    • Critical
    • ZStream
    • 3
    • rhel-sst-idm-ipa
    • ssg_idm
    • 24
    • 26
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q1-Bravo-S2, 2024-Q1-Bravo-S3, 2024-Q1-Bravo-S4
    • Approved Blocker
    • Bug Fix
    • Hide
      .Check on the forwardable flag is disabled in cases where SIDs are generated for the domain

      Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket *forwardable* flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task.

      In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4 and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained delegation requests. This includes IdM's HTTP API, which relies on general constrained delegation.

      With this update, the check of the *forwardable* flag is disabled in cases where SIDs were not generated for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue working. However, Red Hat recommends running the SIDs generation task on the domain as soon as possible, especially if the domain has custom general constrained delegation rules configured. Until this is done, the domain remains vulnerable to CVE-2020-17049.
      Show
      .Check on the forwardable flag is disabled in cases where SIDs are generated for the domain Previously, the update providing a fix for CVE-2020-17049 relied on the Kerberos PAC to run certain checks on the ticket *forwardable* flag when the KDC processes a general constrained delegation request. However, the PAC is generated only on domains where the SIDs generation task was executed in the past. While this task is automatically performed for all IdM domains created on Red Hat Enterprise Linux (RHEL) 8.5 and newer, domains initialized on older versions require manual execution of this task. In case the SIDs generation task was never executed manually for IdM domains initialized on RHEL 8.4 and older, the PAC will be missing on Kerberos tickets, resulting in rejection of all general constrained delegation requests. This includes IdM's HTTP API, which relies on general constrained delegation. With this update, the check of the *forwardable* flag is disabled in cases where SIDs were not generated for the domain. Services relying on general constrained delegation, including IdM HTTP API, continue working. However, Red Hat recommends running the SIDs generation task on the domain as soon as possible, especially if the domain has custom general constrained delegation rules configured. Until this is done, the domain remains vulnerable to CVE-2020-17049.
    • Done
    • None

      The recently released Bronze-Bit detection mechanism relies on the PAC to filter S4U2Proxy requests. However on RHEL8, for the PAC to be present, the impersonated principal need to have an SID.

      It seems that for numerous IPA domains initialized before RHEL 8.5, the SID generation task was never executed, hence PACs are still not generated in tickets. This is a major issue as updating IPA on these domains will cause the HTTP API to stop working, because the API relies on S4U2Proxy, and the Bronze-Bit check needs an evidence ticket with a PAC to accept the request.

      The Bronze-Bit check should be executed only if the IPA domain is able to generate PACs.

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: