Bug 1189894 - (CVE-2021-3698) VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
VUL-0: CVE-2021-3698: cockpit: authenticates with revoked certificates
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Adam Majer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-08-27 15:54 UTC by Gianluca Gabrielli
Modified: 2022-10-28 15:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-27 15:54:59 UTC
A flaw was found in Cockpit in the way it handles the certificate verification performed by SSSD and allows client certificates to successfully authenticate regardless of the CRL configuration or the certificate status.

Comment 1 Gianluca Gabrielli 2021-08-27 16:02:23 UTC
SUSE:SLE-15-SP2:Update:Products:MicroOS:Update/cockpit (v195.12) is not affected since the certificate auth functionality was introduced in version 208.

openSUSE:Factory/cockpit (v250) should be affected but there is currently no patch available.

A discussion is going on with the sssd [0] project in order to have a new D-Bus API that would expose sssd's cert validation and make Cockpit use it.

[0] https://github.com/SSSD/sssd/issues/5224
Comment 2 Adam Majer 2022-10-28 15:26:43 UTC
Looks like this was merged upstream into SSSD


which is in SSSD v2.6.2

and then the fix was merged upstream in cockpit in,


which is part of Cockpit 260.x version

Factory version is 276.1, which includes the fix. But we have 251.3 in SLE Micro 15.2 and 15.3

But the SSSD we have in SLE is too old to have this API, even SP4 has 2.5.2.