Security Advisory Moderate: rhpki security and bug fix update

Advisory: RHSA-2009:0007-12
Type: Security Advisory
Severity: Moderate
Issued on: 2009-01-29
Last updated on: 2009-01-29
Affected Products: Red Hat Certificate System v7.3
CVEs (cve.mitre.org): CVE-2008-2367
CVE-2008-2368
CVE-2008-5082

Details

Updated rhpki-common packages that fix security issues are now available
for Red Hat Certificate System 7.3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Red Hat Certificate System (RHCS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

It was discovered that Red Hat Certificate System used insecure default
file permissions on certain configuration files (for example,
password.conf) that may contain authentication credentials. These
credentials should only be accessible to administrative and service users.
A local user could use this flaw to read Red Hat Certificate System
configuration files containing sensitive information. (CVE-2008-2367)

It was discovered that Red Hat Certificate System stored plain text
passwords in multiple debug log files with insufficient access restrictions
(for example, the UserDirEnrollment log and the RA wizard installer log). A
local user could use this flaw to extract plain text passwords from the Red
Hat Certificate System debug log files. (CVE-2008-2368)

It was discovered that the Token Processing System (TPS) component of the
Red Hat Certificate System did not properly verify the challenge response
received during the enrollment of a new security token. An attacker with
access to a blank token known to the TPS component and with privileges to
perform new token enrollments could use this flaw to complete the
enrollment procedure with a software-generated key instead of the key
stored in the hardware token. (CVE-2008-5082)

These updated packages fix the following bugs:

* The end-entities enrollment pages have been updated to support the
certenroll.dll library used on Microsoft Vista, so Internet Explorer can
be used on to enroll certificates on Vista.

* The password used by the LDAP publisher was improperly stored in the CA
configuration. This essentially required that the LDAP publishing password
had to be the same as the internal database (LDAP directory) password, or
LDAP publishing would break. A new parameter was added to the CA CS.cfg
file to define an LDAP publishing password parameter in the CA's
password.conf file.

* The secure ports used by subsystem interfaces — the administrative
console, agent pages, and end-entities pages — are, by default, the same.
It is possible with this errata to run those services on separate port,
which provides additional protection by prohibiting agents and users from
accessing the same TCP port and web services directory.

* The certificate policies extension was not processed by CMSServlet.

* Any IP Address defined in a certificate's SubjectAltName parameter was
improperly coded as an 8-byte number, with the last 4 bytes trailing zeros
(00 00 00 00).

* The subject name uniqueness plug-in in the CA profiles, which enforces
unique names for all active certificates, would reject a certificate
request which reused a subject name even if the previous certificate had
been revoked or expired.

* The TPS dependences have been changed from MozLDAP5 to MozLDAP6.

All users of Red Hat Certificate System 7.3 should upgrade to these updated
packages, which resolves these issues.


Solution

Users running Red Hat Certificate System on Red Hat Enterprise Linux:

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Users running Red Hat Certificate System on Sun Solaris:

Updated Solaris packages, in .pkg format, are available in the Red Hat
Certificate System Solaris channels on the Red Hat Network. This packages
should be installed or upgraded using Solaris-native package management
tools.

For detailed installation instructions, see Chapter 2, "Installation and
Configuration", of the Red Hat Certificate System 7.3 Administration Guide:
http://redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration.html

Updated packages

Red Hat Certificate System v7.3

IA-32:
pkisetup-7.3.0-14.el4.noarch.rpm     MD5: ce3f8b9f934d6645531b048320dd1a7c
rhpki-ca-7.3.0-17.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: e60d8767b8180362f247abb2994387db
rhpki-common-7.3.0-40.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: a4469965c77219b9a6d0a1f5b1d4c126
rhpki-kra-7.3.0-13.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: def4a9709518f6ac5fb792e2e9733df9
rhpki-ocsp-7.3.0-11.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: 71309595c8c25b0f661d0ce56eee9c97
rhpki-ra-7.3.0-67.el4.noarch.rpm
File outdated by:  RHBA-2010:0170
    MD5: 32d4740ad7d799613ae78d16df584973
rhpki-tks-7.3.0-12.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: 780a85172cbe6a7c4ff54d08a5c5321e
rhpki-tps-7.3.0-23.el4.i386.rpm
File outdated by:  RHBA-2010:0170
    MD5: 66dc835f5e9d9301a344d7511e0a0e4a
rhpki-util-7.3.0-20.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: b5c42ec5de5116b47cb3f6a1b5cd9927
 
x86_64:
pkisetup-7.3.0-14.el4.noarch.rpm     MD5: ce3f8b9f934d6645531b048320dd1a7c
rhpki-ca-7.3.0-17.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: e60d8767b8180362f247abb2994387db
rhpki-common-7.3.0-40.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: a4469965c77219b9a6d0a1f5b1d4c126
rhpki-kra-7.3.0-13.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: def4a9709518f6ac5fb792e2e9733df9
rhpki-ocsp-7.3.0-11.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: 71309595c8c25b0f661d0ce56eee9c97
rhpki-ra-7.3.0-67.el4.noarch.rpm
File outdated by:  RHBA-2010:0170
    MD5: 32d4740ad7d799613ae78d16df584973
rhpki-tks-7.3.0-12.el4.noarch.rpm
File outdated by:  RHSA-2010:0602
    MD5: 780a85172cbe6a7c4ff54d08a5c5321e
rhpki-tps-7.3.0-23.el4.x86_64.rpm
File outdated by:  RHBA-2010:0170
    MD5: 5c1469490906f26b8e036f6c13922fb6
rhpki-util-7.3.0-20.el4.noarch.rpm
File outdated by:  RHSA-2010:0837
    MD5: b5c42ec5de5116b47cb3f6a1b5cd9927
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

451998 - CVE-2008-2367 Certificate System: insecure config file permissions
452000 - CVE-2008-2368 Certificate System: plain text passwords stored in debug log
459049 - rhcs71 - IP Address in Subject Alt Name is Incorrectly Coded with padding
475998 - CVE-2008-5082 Certificate System: missing public key challenge proof verification in the TPS component


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/