Bug 1189894 - (CVE-2021-3698) VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
(CVE-2021-3698)
VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/308498/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-27 15:54 UTC by Gianluca Gabrielli
Modified: 2022-10-28 15:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-27 15:54:59 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1992149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3698
Comment 1 Gianluca Gabrielli 2021-08-27 16:02:23 UTC
SUSE:SLE-15-SP2:Update:Products:MicroOS:Update/cockpit (v195.12) is not affected since the certificate auth functionality was introduced in version 208.

openSUSE:Factory/cockpit (v250) should be affected but there is currently no patch available.

A discussion is going on with the sssd [0] project in order to have a new D-Bus API that would expose sssd's cert validation and make Cockpit use it.

[0] https://github.com/SSSD/sssd/issues/5224
Comment 2 Adam Majer 2022-10-28 15:26:43 UTC
Looks like this was merged upstream into SSSD

https://github.com/SSSD/sssd/pull/5852
and
https://github.com/ikerexxe/sssd/commit/c6d901d65e38a792c4015efa70e3b925a922b406
https://github.com/SSSD/sssd/issues/5911

which is in SSSD v2.6.2

and then the fix was merged upstream in cockpit in,

https://github.com/cockpit-project/cockpit/pull/16703

which is part of Cockpit 260.x version

Factory version is 276.1, which includes the fix. But we have 251.3 in SLE Micro 15.2 and 15.3

But the SSSD we have in SLE is too old to have this API, even SP4 has 2.5.2.