Vulnerabilities > CVE-2018-1080 - Unspecified vulnerability in Dogtagpki

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
dogtagpki
nessus

Summary

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules (authz.evaluateOrder=allow,deny), then allow rules will deny access and deny rules will grant access. This may result in an escalation of privileges or have other unintended consequences.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1979.NASL
    descriptionAn update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es) : * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (CVE-2018-1080) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Fraser Tweedale (Red Hat). Bug Fix(es) : * Previously, when ECC keys were enrolled, Certificate Management over CMS (CMC) authentication failed with a
    last seen2020-06-01
    modified2020-06-02
    plugin id110906
    published2018-07-05
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110906
    titleCentOS 7 : pki-core (CESA-2018:1979)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1979 and 
    # CentOS Errata and Security Advisory 2018:1979 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110906);
      script_version("1.6");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-1080");
      script_xref(name:"RHSA", value:"2018:1979");
    
      script_name(english:"CentOS 7 : pki-core (CESA-2018:1979)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for pki-core is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The Public Key Infrastructure (PKI) Core contains fundamental packages
    required by Red Hat Certificate System.
    
    Security Fix(es) :
    
    * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses
    rules that allow and deny access (CVE-2018-1080)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    This issue was discovered by Fraser Tweedale (Red Hat).
    
    Bug Fix(es) :
    
    * Previously, when ECC keys were enrolled, Certificate Management over
    CMS (CMC) authentication failed with a 'TokenException: Unable to
    insert certificate into temporary database' error. As a consequence,
    the enrollment failed. This update fixes the problem. As a result, the
    mentioned bug no longer occurs. (BZ#1550581)
    
    * Previously, Certificate System used the same enrollment profiles for
    issuing RSA and ECC certificates. As a consequence, the key usage
    extension in issued certificates did not meet the Common Criteria
    standard. This update adds ECC-specific enrollment profiles where the
    key usage extension for TLS server and client certificates are
    different as described in RFC 6960. Additionally, the update changes
    existing profiles to issue only RSA certificates. As a result, the key
    usage extension in ECC certificates now meets the Common Criteria
    standard. (BZ#1554726)
    
    * The Certificate System server rejects saving invalid access control
    lists (ACL). As a consequence, when saving an ACL with an empty
    expression, the server rejected the update and the pkiconsole utility
    displayed an StringIndexOutOfBoundsException error. With this update,
    the utility rejects empty ACL expressions. As a result, invalid ACLs
    cannot be saved and the error is no longer displayed. (BZ#1557883)
    
    * Previously, due to a bug in the Certificate System installation
    procedure, installing a Key Recovery Authority (KRA) with ECC keys
    failed. To fix the problem, the installation process has been updated
    to handle both RSA and ECC subsystems automatically. As a result,
    installing subsystems with ECC keys no longer fail. (BZ#1581134)
    
    * Previously, during verification, Certificate System encoded the ECC
    public key incorrectly in CMC Certificate Request Message Format
    (CRMF) requests. As a consequence, requesting an ECC certificate with
    Certificate Management over CMS (CMC) in CRMF failed. The problem has
    been fixed, and as a result, CMC CRMF requests using ECC keys work as
    expected. (BZ#1585945)
    
    Enhancement(s) :
    
    * The pkispawn man page has been updated and now describes the
    --skip-configuration and --skip-installation parameters. (BZ#1551067)
    
    * With this update, Certificate System adds the Subject Alternative
    Name (SAN) extension by default to server certificates and sets it to
    the Common Name (CN) of the certificate. (BZ#1581135)
    
    * With this enhancement, users can create Certificate Request Message
    Format (CRMF) requests without the key archival option when using the
    CRMFPopClient utility. This feature increases flexibility because a
    Key Recovery Authority (KRA) certificate is no longer required.
    Previously, if the user did not pass the '-b
    transport_certificate_file' option to CRMFPopClient, the utility
    automatically used the KRA transport certificate stored in the
    transport.txt file. With this update, if '-b
    transport_certificate_file' is not specified, Certificate System
    creates a request without using key archival. (BZ#1588945)"
      );
      # https://lists.centos.org/pipermail/centos-announce/2018-July/022940.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?123f904f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected pki-core packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1080");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pki-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-base-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-base-java-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-ca-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-javadoc-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-kra-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-server-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-symkey-10.5.1-13.1.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pki-tools-10.5.1-13.1.el7_5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pki-base / pki-base-java / pki-ca / pki-javadoc / pki-kra / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1979.NASL
    descriptionAn update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es) : * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (CVE-2018-1080) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Fraser Tweedale (Red Hat). Bug Fix(es) : * Previously, when ECC keys were enrolled, Certificate Management over CMS (CMC) authentication failed with a
    last seen2020-06-01
    modified2020-06-02
    plugin id110710
    published2018-06-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110710
    titleRHEL 7 : pki-core (RHSA-2018:1979)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1979.NASL
    descriptionFrom Red Hat Security Advisory 2018:1979 : An update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es) : * pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (CVE-2018-1080) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. This issue was discovered by Fraser Tweedale (Red Hat). Bug Fix(es) : * Previously, when ECC keys were enrolled, Certificate Management over CMS (CMC) authentication failed with a
    last seen2020-06-01
    modified2020-06-02
    plugin id110750
    published2018-06-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110750
    titleOracle Linux 7 : pki-core (ELSA-2018-1979)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0063_PKI-CORE.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has pki-core packages installed that are affected by a vulnerability: - Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules (authz.evaluateOrder=allow,deny), then allow rules will deny access and deny rules will grant access. This may result in an escalation of privileges or have other unintended consequences. (CVE-2018-1080) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127259
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127259
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : pki-core Vulnerability (NS-SA-2019-0063)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180626_PKI_CORE_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (CVE-2018-1080) Bug Fix(es) : - Previously, when ECC keys were enrolled, Certificate Management over CMS (CMC) authentication failed with a
    last seen2020-03-18
    modified2018-06-27
    plugin id110719
    published2018-06-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110719
    titleScientific Linux Security Update : pki-core on SL7.x x86_64 (20180626)

Redhat

advisories
bugzilla
id1588945
titleCRMFPopClient tool - should allow option to do no key archival [rhel-7.5.z]
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentpki-tools is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979001
        • commentpki-tools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335002
      • AND
        • commentpki-symkey is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979003
        • commentpki-symkey is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20130511022
      • AND
        • commentpki-javadoc is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979005
        • commentpki-javadoc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335006
      • AND
        • commentpki-base is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979007
        • commentpki-base is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335008
      • AND
        • commentpki-ca is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979009
        • commentpki-ca is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20130511004
      • AND
        • commentpki-base-java is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979011
        • commentpki-base-java is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335012
      • AND
        • commentpki-server is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979013
        • commentpki-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335016
      • AND
        • commentpki-kra is earlier than 0:10.5.1-13.1.el7_5
          ovaloval:com.redhat.rhsa:tst:20181979015
        • commentpki-kra is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172335014
rhsa
idRHSA-2018:1979
released2018-06-26
severityModerate
titleRHSA-2018:1979: pki-core security, bug fix, and enhancement update (Moderate)
rpms
  • pki-base-0:10.5.1-13.1.el7_5
  • pki-base-java-0:10.5.1-13.1.el7_5
  • pki-ca-0:10.5.1-13.1.el7_5
  • pki-core-debuginfo-0:10.5.1-13.1.el7_5
  • pki-javadoc-0:10.5.1-13.1.el7_5
  • pki-kra-0:10.5.1-13.1.el7_5
  • pki-server-0:10.5.1-13.1.el7_5
  • pki-symkey-0:10.5.1-13.1.el7_5
  • pki-tools-0:10.5.1-13.1.el7_5