Vulnerabilities > CVE-2017-7537

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
redhat
dogtagpki
nessus

Summary

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates.

Vulnerable Configurations

Part Description Count
OS
Redhat
3
Application
Dogtagpki
55

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2335.NASL
    descriptionFrom Red Hat Security Advisory 2017:2335 : An update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority (CA) subsystem. Security Fix(es) : * It was found that a mock CMC authentication plugin with a hard-coded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537) This issue was discovered by Christina Fu (Red Hat).
    last seen2020-06-01
    modified2020-06-02
    plugin id102342
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102342
    titleOracle Linux 7 : pki-core (ELSA-2017-2335)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:2335 and 
    # Oracle Linux Security Advisory ELSA-2017-2335 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102342);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2017-7537");
      script_xref(name:"RHSA", value:"2017:2335");
    
      script_name(english:"Oracle Linux 7 : pki-core (ELSA-2017-2335)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:2335 :
    
    An update for pki-core is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat Certificate System is an enterprise software system designed
    to manage enterprise public key infrastructure (PKI) deployments. PKI
    Core contains fundamental packages required by Red Hat Certificate
    System, which comprise the Certificate Authority (CA) subsystem.
    
    Security Fix(es) :
    
    * It was found that a mock CMC authentication plugin with a hard-coded
    secret was accidentally enabled by default in the pki-core package. An
    attacker could potentially use this flaw to bypass the regular
    authentication process and trick the CA server into issuing
    certificates. (CVE-2017-7537)
    
    This issue was discovered by Christina Fu (Red Hat)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007111.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected pki-core packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pki-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-base-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-base-java-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-ca-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-javadoc-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-kra-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-server-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-symkey-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pki-tools-10.4.1-11.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-base / pki-base-java / pki-ca / pki-javadoc / pki-kra / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1183.NASL
    descriptionAccording to the version of the pki-core packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-08
    plugin id103021
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103021
    titleEulerOS 2.0 SP1 : pki-core (EulerOS-SA-2017-1183)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103021);
      script_version("3.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-7537"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : pki-core (EulerOS-SA-2017-1183)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the pki-core packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - It was found that a mock CMC authentication plugin with
        a hardcoded secret was accidentally enabled by default
        in the pki-core package. An attacker could potentially
        use this flaw to bypass the regular authentication
        process and trick the CA server into issuing
        certificates. (CVE-2017-7537)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1183
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a2ab6ecb");
      script_set_attribute(attribute:"solution", value:
    "Update the affected pki-core package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["pki-base-10.3.3-17.h1",
            "pki-base-java-10.3.3-17.h1",
            "pki-ca-10.3.3-17.h1",
            "pki-javadoc-10.3.3-17.h1",
            "pki-kra-10.3.3-17.h1",
            "pki-server-10.3.3-17.h1",
            "pki-symkey-10.3.3-17.h1",
            "pki-tools-10.3.3-17.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-core");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1184.NASL
    descriptionAccording to the version of the pki-core packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-08
    plugin id103022
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103022
    titleEulerOS 2.0 SP2 : pki-core (EulerOS-SA-2017-1184)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103022);
      script_version("3.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-7537"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : pki-core (EulerOS-SA-2017-1184)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the pki-core packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - It was found that a mock CMC authentication plugin with
        a hardcoded secret was accidentally enabled by default
        in the pki-core package. An attacker could potentially
        use this flaw to bypass the regular authentication
        process and trick the CA server into issuing
        certificates. (CVE-2017-7537)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1184
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?21814cbd");
      script_set_attribute(attribute:"solution", value:
    "Update the affected pki-core package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pki-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["pki-base-10.2.5-6.h1",
            "pki-ca-10.2.5-6.h1",
            "pki-kra-10.2.5-6.h1",
            "pki-server-10.2.5-6.h1",
            "pki-symkey-10.2.5-6.h1",
            "pki-tools-10.2.5-6.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-core");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2335.NASL
    descriptionAn update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority (CA) subsystem. Security Fix(es) : * It was found that a mock CMC authentication plugin with a hard-coded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537) This issue was discovered by Christina Fu (Red Hat).
    last seen2020-06-01
    modified2020-06-02
    plugin id102117
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102117
    titleRHEL 7 : pki-core (RHSA-2017:2335)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2335. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102117);
      script_version("3.13");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2017-7537");
      script_xref(name:"RHSA", value:"2017:2335");
    
      script_name(english:"RHEL 7 : pki-core (RHSA-2017:2335)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for pki-core is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat Certificate System is an enterprise software system designed
    to manage enterprise public key infrastructure (PKI) deployments. PKI
    Core contains fundamental packages required by Red Hat Certificate
    System, which comprise the Certificate Authority (CA) subsystem.
    
    Security Fix(es) :
    
    * It was found that a mock CMC authentication plugin with a hard-coded
    secret was accidentally enabled by default in the pki-core package. An
    attacker could potentially use this flaw to bypass the regular
    authentication process and trick the CA server into issuing
    certificates. (CVE-2017-7537)
    
    This issue was discovered by Christina Fu (Red Hat)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7537"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-core-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2335";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"pki-base-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pki-base-java-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pki-ca-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"pki-core-debuginfo-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"pki-core-debuginfo-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pki-javadoc-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pki-kra-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pki-server-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"pki-symkey-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"pki-symkey-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"pki-tools-10.4.1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"pki-tools-10.4.1-11.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-base / pki-base-java / pki-ca / pki-core-debuginfo / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170801_PKI_CORE_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - It was found that a mock CMC authentication plugin with a hard-coded secret was accidentally enabled by default in the pki-core package. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates. (CVE-2017-7537)
    last seen2020-03-18
    modified2017-08-22
    plugin id102652
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102652
    titleScientific Linux Security Update : pki-core on SL7.x x86_64 (20170801)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102652);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");
    
      script_cve_id("CVE-2017-7537");
    
      script_name(english:"Scientific Linux Security Update : pki-core on SL7.x x86_64 (20170801)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - It was found that a mock CMC authentication plugin with
        a hard-coded secret was accidentally enabled by default
        in the pki-core package. An attacker could potentially
        use this flaw to bypass the regular authentication
        process and trick the CA server into issuing
        certificates. (CVE-2017-7537)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1708&L=scientific-linux-errata&F=&S=&P=10705
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f393a743"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-core-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pki-tools");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", reference:"pki-base-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"pki-base-java-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"pki-ca-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"pki-core-debuginfo-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"pki-javadoc-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"pki-kra-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"pki-server-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"pki-symkey-10.4.1-11.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"pki-tools-10.4.1-11.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-base / pki-base-java / pki-ca / pki-core-debuginfo / etc");
    }
    

Redhat

advisories
bugzilla
id1470817
titleCVE-2017-7537 pki-core: mock CMC authentication plugin with hardcoded secret enabled by default
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentpki-tools is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335001
        • commentpki-tools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335002
      • AND
        • commentpki-symkey is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335003
        • commentpki-symkey is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20130511022
      • AND
        • commentpki-javadoc is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335005
        • commentpki-javadoc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335006
      • AND
        • commentpki-base is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335007
        • commentpki-base is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335008
      • AND
        • commentpki-ca is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335009
        • commentpki-ca is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20130511004
      • AND
        • commentpki-base-java is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335011
        • commentpki-base-java is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335012
      • AND
        • commentpki-kra is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335013
        • commentpki-kra is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335014
      • AND
        • commentpki-server is earlier than 0:10.4.1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172335015
        • commentpki-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335016
rhsa
idRHSA-2017:2335
released2017-08-01
severityModerate
titleRHSA-2017:2335: pki-core security update (Moderate)
rpms
  • pki-base-0:10.4.1-11.el7
  • pki-base-java-0:10.4.1-11.el7
  • pki-ca-0:10.4.1-11.el7
  • pki-core-debuginfo-0:10.4.1-11.el7
  • pki-javadoc-0:10.4.1-11.el7
  • pki-kra-0:10.4.1-11.el7
  • pki-server-0:10.4.1-11.el7
  • pki-symkey-0:10.4.1-11.el7
  • pki-tools-0:10.4.1-11.el7