Project

General

Profile

Actions

Bug #9858

closed

CVE-2015-1816 - LDAP server SSL certificate not verified

Added by Marek Hulán almost 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When making an SSL connection to an LDAP authentication source in Foreman, the remote server certificate is accepted without any verification against known certificate authorities.

This can allow the LDAP connection between Foreman and the LDAP server to be attacked, and a different LDAP server could be contacted to authenticate users to Foreman.

Expected behaviour is that the certificate authority for the LDAP server should be stored and trusted somewhere, e.g. the system trust store (/etc/pki/tls/certs/ca-bundle.crt, or via update-ca-certificates).

Affects Foreman 1.3.0 or higher - since Puppet was removed as a dependency, the default SSL behaviour went back to no verification.


Files

fix_9858.diff fix_9858.diff 1.25 KB Marek Hulán, 03/23/2015 03:01 AM
fix_9858_monkey.diff fix_9858_monkey.diff 1.18 KB monkey patch for older versions Marek Hulán, 03/23/2015 11:27 AM

Related issues 2 (0 open2 closed)

Related to Foreman - Bug #9885: CVE-2015-1816 - LDAP server SSL certificate not verifiedClosedMarek Hulán03/24/2015Actions
Related to Foreman - Bug #10139: Cannot verify LDAPS SSL certificate on Debian installationResolved04/14/2015Actions
Actions #1

Updated by Marek Hulán almost 9 years ago

  • Category set to Authentication
  • Status changed from New to Assigned
Actions #2

Updated by Marek Hulán almost 9 years ago

  • Private changed from No to Yes
Actions #3

Updated by Marek Hulán almost 9 years ago

This patch requires ldap_fluff 0.3.4 and ruby-net-ldap 0.10, note that ruby-net-ldap dropped Ruby 1.8.7 support in 0.9 so backporting for Foreman 1.7 on debian might be quite hard.

Actions #4

Updated by Marek Hulán almost 9 years ago

The issue is that when user enables LDAPS, we don't check the certificate of LDAP server. ruby-net-ldap sets verify_mode to none by default. They added a way to pass parameters to SSL context so we can now enforce verify_mode to peer (on ruby-net-ldap 0.10 and latest ldap_fluff 0.3.4). After this patch if users use LDAPS and they didn't install CA authority certificate in their /etc/pki/* correctly they will start to see SSL exceptions.

As a following enhancement we can add a way to specify ca_file so they don't have to install it system-wide but that's out of scope of this fix.

Actions #5

Updated by Marek Hulán almost 9 years ago

  • Subject changed from Satellite 6 authentication with Active Directory on LDAP and LDAPS fails to CVE-2015-1816 - Satellite 6 authentication with Active Directory on LDAP and LDAPS fails
Actions #6

Updated by Dominic Cleal almost 9 years ago

  • Subject changed from CVE-2015-1816 - Satellite 6 authentication with Active Directory on LDAP and LDAPS fails to CVE-2015-1816 - LDAP server SSL certificate not verified
  • Description updated (diff)
  • translation missing: en.field_release set to 36
Actions #8

Updated by Dominic Cleal almost 9 years ago

Both fixes verified as fixing the issue, thanks.

Regarding the fix for develop: a) require ldap_fluff 0.3.4 in the Gemfile, b) add tests for the new #to_config behaviour.

Actions #9

Updated by Dominic Cleal almost 9 years ago

  • Description updated (diff)
  • Private changed from Yes to No

Unembargoed, fixing in public for Foreman 1.7.4 and 1.8.0-RC2. Marek, could you please open pull requests?

The "fix_9858_monkey.diff" patch may be applied to /usr/share/foreman on a production 1.7 (or probably older) installation to mitigate the issue, restart Apache/httpd to have it take effect.

To trust the LDAP server's certificate:

  • On a Red Hat based OS, add the LDAP server's CA certificate to /etc/pki/tls/certs/ca-bundle.crt
  • On Debian or Ubuntu, store the CA under /usr/local/share/ca-certificates/ with a .crt extension and run update-ca-certificates
Actions #10

Updated by The Foreman Bot almost 9 years ago

  • Pull request https://github.com/theforeman/foreman/pull/2265 added
  • Pull request deleted ()
Actions #11

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #9885: CVE-2015-1816 - LDAP server SSL certificate not verified added
Actions #12

Updated by Dominic Cleal almost 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #13

Updated by Vasil Mikhalenya almost 9 years ago

Guys, seems it does not work. AD auth with ssl enabled stopped working after upgrade to 1.7.4

Put CA, SubCA to /usr/lib/ssl/certs/ and run update-ca-certificates

openssl -CApath /usr/lib/ssl/certs/ connects smoothly but in foreman get

SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Actions #14

Updated by Marek Hulán almost 9 years ago

Why you have to specify the -CApath? I think you should verify the certificate installation without any params (curl https://$fqdn). Also I usually found cert storage at /etc/pki not in /usr/lib

Actions #15

Updated by Dominic Cleal almost 9 years ago

The path depends on the OS, but as you mention update-ca-certificates, I assume it's Debian or Ubuntu. It should in that case be /usr/local/share/ca-certificates/, not /usr/lib. Try restarting apache2 after adding to the certificate store.

Please also attach or pastebin the full output from: openssl s_client -CApath /etc/ssl/certs -connect ldap.example.com:636

Actions #16

Updated by Marek Hulán almost 9 years ago

On deb systems I though it was in /etc/ssl/certs

Actions #17

Updated by Dominic Cleal almost 9 years ago

Marek Hulán wrote:

On deb systems I though it was in /etc/ssl/certs

That's the dir that update-ca-certificates manages, I think you're meant to put your cert in /usr/local/share/ca-certificates/ for it to combine, else it could be wiped if it ever runs with --fresh.

Actions #18

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #10139: Cannot verify LDAPS SSL certificate on Debian installation added
Actions

Also available in: Atom PDF