Skip to navigation

Security Advisory Important: ipa-client security update

Advisory: RHSA-2013:0189-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-23
Last updated on: 2013-01-23
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.9.z server)
Red Hat Enterprise Linux Long Life (v. 5.9 server)
CVEs (cve.mitre.org): CVE-2012-5484

Details

An updated ipa-client package that fixes one security issue is now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Red Hat Identity Management is a centralized authentication, identity
management and authorization solution for both traditional and cloud-based
enterprise environments.

A weakness was found in the way IPA clients communicated with IPA servers
when initially attempting to join IPA domains. As there was no secure way
to provide the IPA server's Certificate Authority (CA) certificate to the
client during a join, the IPA client enrollment process was susceptible to
man-in-the-middle attacks. This flaw could allow an attacker to obtain
access to the IPA server using the credentials provided by an IPA client,
including administrative access to the entire domain if the join was
performed using an administrator's credentials. (CVE-2012-5484)

Note: This weakness was only exposed during the initial client join to the
realm, because the IPA client did not yet have the CA certificate of the
server. Once an IPA client has joined the realm and has obtained the CA
certificate of the IPA server, all further communication is secure. If a
client were using the OTP (one-time password) method to join to the realm,
an attacker could only obtain unprivileged access to the server (enough to
only join the realm).

Red Hat would like to thank Petr Menšík for reporting this issue.

When a fix for this flaw has been applied to the client but not yet the
server, ipa-client-install, in unattended mode, will fail if you do not
have the correct CA certificate locally, noting that you must use the
"--force" option to insecurely obtain the certificate. In interactive mode,
the certificate will try to be obtained securely from LDAP. If this fails,
you will be prompted to insecurely download the certificate via HTTP. In
the same situation when using OTP, LDAP will not be queried and you will be
prompted to insecurely download the certificate via HTTP.

Users of ipa-client are advised to upgrade to this updated package, which
corrects this issue.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
ipa-client-2.1.3-5.el5_9.2.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 435c6434d25f0cff0e6ca85d7cfa0a38
SHA-256: d5c07abe06b441963f3f229934560b01a926eeab990f06a3caeabc2c1b7d1ef7
 
IA-32:
ipa-client-2.1.3-5.el5_9.2.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: 3b26036f2a8e8d7bf3d86e5795254327
SHA-256: 238acc71643a49b47906db7346cde3cdf1168db37b2c7ecad6aeba7a10771381
ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: 4e0b2d460623272586e96c34d20b6eba
SHA-256: dcc3eee3a06a4841700d354b105228c64205f475ae93a295e25c73c35285ecae
 
IA-64:
ipa-client-2.1.3-5.el5_9.2.ia64.rpm
File outdated by:  RHBA-2013:1334
    MD5: f78a3e69a43b0268d127644aa890b584
SHA-256: 198875c89657cc204b6cc59a4b53254c7adeba7e741da9ec0c4e5bf3f3384711
ipa-client-debuginfo-2.1.3-5.el5_9.2.ia64.rpm
File outdated by:  RHBA-2013:1334
    MD5: 557046c5381a688aaf9ca0e7117ab78e
SHA-256: ce108d427ef4ff32cc827f288d0492b75fa4e6ce8b7c42bdd6ed4e70e15d591d
 
PPC:
ipa-client-2.1.3-5.el5_9.2.ppc.rpm
File outdated by:  RHBA-2013:1334
    MD5: d35017c427ba7a942f4abf454dd75f87
SHA-256: 4fc3c07fcf6221f25bc74f7e20b0f1d6d703cd43bd729c0bdbc607465bc34339
ipa-client-debuginfo-2.1.3-5.el5_9.2.ppc.rpm
File outdated by:  RHBA-2013:1334
    MD5: 9220b806a8d2655db1305d559c91c7db
SHA-256: dc43358c31f17dcbf31dfeeaaed48e7601fd9e7497d435d56dc5ebf617a74819
 
s390x:
ipa-client-2.1.3-5.el5_9.2.s390x.rpm
File outdated by:  RHBA-2013:1334
    MD5: 859914071cdfbf8cedfe951f8bf9aa73
SHA-256: 42a3811ae20e29513d3c10242f1e6165940ee10de31b96776c1a5e95c16b6e0a
ipa-client-debuginfo-2.1.3-5.el5_9.2.s390x.rpm
File outdated by:  RHBA-2013:1334
    MD5: 1985ff2cd5be964e0e56e27d5a6414b2
SHA-256: 0cdc572a23c7fca028f7e99c31c8fa070ccbcf07d1f13a0bbef6f37509c74f49
 
x86_64:
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: 0e8016b74e10105e3bf7887fd51905a9
SHA-256: e735217a2fe3c2529e1d3de4b14206d5fa9eba5f576bb0728aad4ab54bbc5efe
ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: e2622979ae3343e51b509335f4ae6f27
SHA-256: d562a765fe0f29987a9d14aaabbea85e76c6bdfb7ea8899d13a2a03fa0e53846
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
ipa-client-2.1.3-5.el5_9.2.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 435c6434d25f0cff0e6ca85d7cfa0a38
SHA-256: d5c07abe06b441963f3f229934560b01a926eeab990f06a3caeabc2c1b7d1ef7
 
IA-32:
ipa-client-2.1.3-5.el5_9.2.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: 3b26036f2a8e8d7bf3d86e5795254327
SHA-256: 238acc71643a49b47906db7346cde3cdf1168db37b2c7ecad6aeba7a10771381
ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm
File outdated by:  RHBA-2013:1334
    MD5: 4e0b2d460623272586e96c34d20b6eba
SHA-256: dcc3eee3a06a4841700d354b105228c64205f475ae93a295e25c73c35285ecae
 
x86_64:
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: 0e8016b74e10105e3bf7887fd51905a9
SHA-256: e735217a2fe3c2529e1d3de4b14206d5fa9eba5f576bb0728aad4ab54bbc5efe
ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm
File outdated by:  RHBA-2013:1334
    MD5: e2622979ae3343e51b509335f4ae6f27
SHA-256: d562a765fe0f29987a9d14aaabbea85e76c6bdfb7ea8899d13a2a03fa0e53846
 
Red Hat Enterprise Linux EUS (v. 5.9.z server)

SRPMS:
ipa-client-2.1.3-5.el5_9.2.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 435c6434d25f0cff0e6ca85d7cfa0a38
SHA-256: d5c07abe06b441963f3f229934560b01a926eeab990f06a3caeabc2c1b7d1ef7
 
IA-32:
ipa-client-2.1.3-5.el5_9.2.i386.rpm     MD5: 3b26036f2a8e8d7bf3d86e5795254327
SHA-256: 238acc71643a49b47906db7346cde3cdf1168db37b2c7ecad6aeba7a10771381
ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm     MD5: 4e0b2d460623272586e96c34d20b6eba
SHA-256: dcc3eee3a06a4841700d354b105228c64205f475ae93a295e25c73c35285ecae
 
IA-64:
ipa-client-2.1.3-5.el5_9.2.ia64.rpm     MD5: f78a3e69a43b0268d127644aa890b584
SHA-256: 198875c89657cc204b6cc59a4b53254c7adeba7e741da9ec0c4e5bf3f3384711
ipa-client-debuginfo-2.1.3-5.el5_9.2.ia64.rpm     MD5: 557046c5381a688aaf9ca0e7117ab78e
SHA-256: ce108d427ef4ff32cc827f288d0492b75fa4e6ce8b7c42bdd6ed4e70e15d591d
 
PPC:
ipa-client-2.1.3-5.el5_9.2.ppc.rpm     MD5: d35017c427ba7a942f4abf454dd75f87
SHA-256: 4fc3c07fcf6221f25bc74f7e20b0f1d6d703cd43bd729c0bdbc607465bc34339
ipa-client-debuginfo-2.1.3-5.el5_9.2.ppc.rpm     MD5: 9220b806a8d2655db1305d559c91c7db
SHA-256: dc43358c31f17dcbf31dfeeaaed48e7601fd9e7497d435d56dc5ebf617a74819
 
s390x:
ipa-client-2.1.3-5.el5_9.2.s390x.rpm     MD5: 859914071cdfbf8cedfe951f8bf9aa73
SHA-256: 42a3811ae20e29513d3c10242f1e6165940ee10de31b96776c1a5e95c16b6e0a
ipa-client-debuginfo-2.1.3-5.el5_9.2.s390x.rpm     MD5: 1985ff2cd5be964e0e56e27d5a6414b2
SHA-256: 0cdc572a23c7fca028f7e99c31c8fa070ccbcf07d1f13a0bbef6f37509c74f49
 
x86_64:
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm     MD5: 0e8016b74e10105e3bf7887fd51905a9
SHA-256: e735217a2fe3c2529e1d3de4b14206d5fa9eba5f576bb0728aad4ab54bbc5efe
ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm     MD5: e2622979ae3343e51b509335f4ae6f27
SHA-256: d562a765fe0f29987a9d14aaabbea85e76c6bdfb7ea8899d13a2a03fa0e53846
 
Red Hat Enterprise Linux Long Life (v. 5.9 server)

SRPMS:
ipa-client-2.1.3-5.el5_9.2.src.rpm
File outdated by:  RHBA-2013:1334
    MD5: 435c6434d25f0cff0e6ca85d7cfa0a38
SHA-256: d5c07abe06b441963f3f229934560b01a926eeab990f06a3caeabc2c1b7d1ef7
 
IA-32:
ipa-client-2.1.3-5.el5_9.2.i386.rpm     MD5: 3b26036f2a8e8d7bf3d86e5795254327
SHA-256: 238acc71643a49b47906db7346cde3cdf1168db37b2c7ecad6aeba7a10771381
ipa-client-debuginfo-2.1.3-5.el5_9.2.i386.rpm     MD5: 4e0b2d460623272586e96c34d20b6eba
SHA-256: dcc3eee3a06a4841700d354b105228c64205f475ae93a295e25c73c35285ecae
 
IA-64:
ipa-client-2.1.3-5.el5_9.2.ia64.rpm     MD5: f78a3e69a43b0268d127644aa890b584
SHA-256: 198875c89657cc204b6cc59a4b53254c7adeba7e741da9ec0c4e5bf3f3384711
ipa-client-debuginfo-2.1.3-5.el5_9.2.ia64.rpm     MD5: 557046c5381a688aaf9ca0e7117ab78e
SHA-256: ce108d427ef4ff32cc827f288d0492b75fa4e6ce8b7c42bdd6ed4e70e15d591d
 
x86_64:
ipa-client-2.1.3-5.el5_9.2.x86_64.rpm     MD5: 0e8016b74e10105e3bf7887fd51905a9
SHA-256: e735217a2fe3c2529e1d3de4b14206d5fa9eba5f576bb0728aad4ab54bbc5efe
ipa-client-debuginfo-2.1.3-5.el5_9.2.x86_64.rpm     MD5: e2622979ae3343e51b509335f4ae6f27
SHA-256: d562a765fe0f29987a9d14aaabbea85e76c6bdfb7ea8899d13a2a03fa0e53846
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

876307 - CVE-2012-5484 ipa: weakness when initiating join from IPA client can potentially compromise IPA domain


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/