idm:DL1 security update

エラータID: AXSA:2024-7462:01

Release date: 
Thursday, January 25, 2024 - 08:10
Subject: 
idm:DL1 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Asianux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

Security Fix(es):

* Kerberos: delegation constrain bypass in S4U2Proxy (CVE-2020-17049)
* ipa: Invalid CSRF protection (CVE-2023-5455)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-17049
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
CVE-2023-5455
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Modularity name: "idm"
Stream name: "DL1"

Solution: 

Update packages.

CVEs: 
CVE-2020-17049

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).

To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.


CVE-2023-5455
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Additional Info: 

N/A

Download: 

SRPMS
  1. bind-dyndb-ldap-11.6-4.module+el8+1717+89555bb9.src.rpm
    MD5: 1e0d1a1d0ae79027f5cdab6ba357c274
    SHA-256: a3d8b77f21f8f1e52a2dc86dfa6451229993a6fb31d1a9aaf0caad333c6dca3e
    Size: 369.24 kB
  2. custodia-0.6.0-3.module+el8+1717+89555bb9.src.rpm
    MD5: 058b5c456d1809315d0dd94954967d5e
    SHA-256: 044f03c229570e0b5d5cb4ebcf7cc99a43dc0be1c71392ccc146ce24e806f2de
    Size: 144.66 kB
  3. ipa-healthcheck-0.12-3.module+el8+1717+89555bb9.src.rpm
    MD5: 8081f1bf28bb0b6f430f32435e43fc3e
    SHA-256: 41fc846bcba44e580f2c87b3b2840f4f38570fd3e376e5e41820d08dfc605c43
    Size: 130.65 kB
  4. ipa-4.9.12-11.module+el8+1717+89555bb9.ML.1.src.rpm
    MD5: a4a5fd09ae384e42057863bbb6cfa7af
    SHA-256: b46f55c265628f747e5c73562a84cba17d48f2d685210e2fd7c2b316c7328342
    Size: 51.18 MB
  5. opendnssec-2.1.7-1.module+el8+1717+89555bb9.src.rpm
    MD5: dda6e7b881144ecf104347c9f8c32889
    SHA-256: 7380eeb932000c7908ce01dcd3c953e9ae6726b5110df8e602f80fda6c501733
    Size: 1.09 MB
  6. python-jwcrypto-0.5.0-1.1.module+el8+1717+89555bb9.src.rpm
    MD5: 63f60373ee61e72b7c98370bb3004ab6
    SHA-256: 475735b2fd865d2366771d5fd04a8a528ab1bf41675570b8cfa16aae3c09e6d4
    Size: 76.55 kB
  7. python-kdcproxy-0.4-5.module+el8+1717+89555bb9.src.rpm
    MD5: 6125bcbe41e8a484922184cc92a41dfa
    SHA-256: 13585b298515891234a554cd95db69d72d686784eefe4581e8e6042ff6caee96
    Size: 36.22 kB
  8. python-qrcode-5.1-12.module+el8+1717+89555bb9.src.rpm
    MD5: 9aa8c6425ff2de48d719c6a82c043b64
    SHA-256: ce2ba1d4644368524acb9a341d08d4ed47304d09e625db2d43b696a9d90d720b
    Size: 33.36 kB
  9. python-yubico-1.3.2-9.1.module+el8+1717+89555bb9.src.rpm
    MD5: 0c8333c3d66f3f24dc3d0552c8c757d4
    SHA-256: f1695ae0006a8a079524ac88f5a4c10c5a7a5f84a1409b8210ed449dc04a41cb
    Size: 50.84 kB
  10. pyusb-1.0.0-9.1.module+el8+1717+89555bb9.src.rpm
    MD5: d0ae668f9ea8f66c254b2b935865a68a
    SHA-256: c767a1c5d72fee2e9622994e885f759887564719309a71212764f34169cbfdfe
    Size: 78.96 kB
  11. slapi-nis-0.60.0-4.module+el8+1717+89555bb9.ML.1.src.rpm
    MD5: a928b0c0cfe54900f79925ef410ae975
    SHA-256: d3683bdacb40c75acc463ee35efee1c8dfcb2e76af18e748310a0c9fc5f28272
    Size: 646.84 kB
  12. softhsm-2.6.0-5.module+el8+1717+89555bb9.src.rpm
    MD5: 24366bbf75aeb557ebd24bdc45b98130
    SHA-256: 461d54ca472b7adfc8f05b3c98ae77578cad40b0ac48bb7d79061ed4add625e3
    Size: 1.03 MB

Asianux Server 8 for x86_64
  1. bind-dyndb-ldap-11.6-4.module+el8+1717+89555bb9.x86_64.rpm
    MD5: 056b129cdc3469531c67fd4e44509574
    SHA-256: a7cbf1d3cb0c8af80f174074d107e00b5a75ea82848a61e423e4398251573657
    Size: 126.70 kB
  2. bind-dyndb-ldap-debugsource-11.6-4.module+el8+1717+89555bb9.x86_64.rpm
    MD5: ff97aa1aaf3b5d17af6084695c320ead
    SHA-256: e38a2ef1212c0aead26de19b6723d71bdb2cecef65e66af43f431e0e265a2819
    Size: 114.39 kB
  3. custodia-0.6.0-3.module+el8+1717+89555bb9.noarch.rpm
    MD5: 8387ddfcd7a5209f3aa715be41904822
    SHA-256: 41d7bcfb9646556982849dd90b898796a4a24ca0626975f524c68a4717349cd2
    Size: 32.29 kB
  4. ipa-client-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: dd03fe5c3330f3332d26361505cb7dbc
    SHA-256: d8e2fd910d26b303555500b7732f3e9fd46d1431ae85488502f054bb699bb152
    Size: 288.56 kB
  5. ipa-client-common-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: f25ae49dab5d96b81f6a2e92ace48d9e
    SHA-256: 30317bce0f88c46955fec73d8eef2bc1f8b3f11d3fd4bc7d5af3846771c776e2
    Size: 190.17 kB
  6. ipa-client-epn-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 1b0f5afce7cf633c4ce8d2af52495017
    SHA-256: 42d6f0327a297921c6b223adf34dbb4f7a63190a4c721ebfe4f036a1ac1efde4
    Size: 188.22 kB
  7. ipa-client-samba-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 9db1aaf0b6e64ce7cb5bc6bb90bc6d30
    SHA-256: 7e81611742d565bd7ce49249239358ad536f5e961c48fc82c8a48ffd28afe36a
    Size: 183.74 kB
  8. ipa-common-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 7031a5b6a276cfc2315f821a5b866e54
    SHA-256: 48191add462114ca421f4540eff2d4595a6d7038cfce610e9ef8d9d5965b94ae
    Size: 799.52 kB
  9. ipa-debugsource-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 6ce65d10b6fdcbff1811ed4e3b7a2dc9
    SHA-256: b3c465e2579b5ad35e0c40aed591c6d6d648986c887ffb895916f1f535a6e2c3
    Size: 504.59 kB
  10. ipa-healthcheck-0.12-3.module+el8+1717+89555bb9.noarch.rpm
    MD5: b9740e2de381680130166a4b4ab33550
    SHA-256: 93d7fc601c7a07dcff73e8fc4beede48392d1d63c9cb295a5b58bfa97cf3783c
    Size: 113.20 kB
  11. ipa-healthcheck-core-0.12-3.module+el8+1717+89555bb9.noarch.rpm
    MD5: 2990aa44dae3977b2d09ef80a0c067fc
    SHA-256: f5238e2bdd7677907f48a21aa0536a1e42ca27dff44f55d1ba4914a17859eb16
    Size: 58.89 kB
  12. ipa-python-compat-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 1c013b96ea0eb577199514298df362ae
    SHA-256: 6551662fb89c21765a569d0dee8f8a3c452d09573595db7b485b49b78798b3b9
    Size: 181.56 kB
  13. ipa-selinux-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: eee2929c66fbea485c7f3791767a1639
    SHA-256: 8a093318e0961c5fe288a501dba09b208f8802f6654c705905f369a80ee85db1
    Size: 182.08 kB
  14. ipa-server-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 6f4fdb3c763fe1067e1a38b061909a0c
    SHA-256: 64dda28cd8f22943f48079c273884c3a79a68c58381c3a285121b34974648ad1
    Size: 550.74 kB
  15. ipa-server-common-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 63becdf47c06a90d66df7fd04818b86a
    SHA-256: 3b77e8498fd829635325943034a07e216ec482bf9d3eee6c8af48dad77c60d1b
    Size: 622.17 kB
  16. ipa-server-dns-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 45fa4c16df6f972d6f9a3c1865684267
    SHA-256: 543a1e03c1038dc12d13b620778492edfb1f62482375427884276c5a364dd4bd
    Size: 197.76 kB
  17. ipa-server-trust-ad-4.9.12-11.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 9162d6a2a18e5b66022710daeb1b7c46
    SHA-256: 2289a6afc02ebddef8af5e59fd24d6dcd80199017d60304e109e078a1f8435f7
    Size: 295.04 kB
  18. opendnssec-2.1.7-1.module+el8+1717+89555bb9.x86_64.rpm
    MD5: 665e79be1bb26f70b30e646fc353f407
    SHA-256: 452a5a20573d10b2198b64f888c7fd446914ba4007b5526b82065b5c6ac63ed4
    Size: 472.19 kB
  19. opendnssec-debugsource-2.1.7-1.module+el8+1717+89555bb9.x86_64.rpm
    MD5: daa2e14807f5aeec09cb52afeaf533dd
    SHA-256: e3665d1ef15afac3facdd86baf634bfd223a07a39905f274d12daa0b6e5c2c4c
    Size: 405.93 kB
  20. python3-custodia-0.6.0-3.module+el8+1717+89555bb9.noarch.rpm
    MD5: bd0d0e627bf2ce79991c219ecbd3dc0b
    SHA-256: af29c7df6b3a07538339e4827ded1b153a7a2b6d16e6dd9af6c7f98aab4e3746
    Size: 120.08 kB
  21. python3-ipaclient-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 292c4703298b0c1d8c882f79912a8efc
    SHA-256: bae9db8da8833f9d68380395ff77f4f955ca67c8c021071d79d06ebc9d3aaa5a
    Size: 695.68 kB
  22. python3-ipalib-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 22bf2923cfc0eb3d4965502911f9e32d
    SHA-256: 962c9fb4ad3765d946c3f8dd6ac25198f344c1781c8c2baaf6dd390943c6cb2b
    Size: 765.22 kB
  23. python3-ipaserver-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 35c4f09c35211314fd393e289d30a046
    SHA-256: b2f2926a7a166c753a45f2fceede0b3a09b4763288b77cdfcf8b55c7c0d28f5c
    Size: 1.65 MB
  24. python3-ipatests-4.9.12-11.module+el8+1717+89555bb9.ML.1.noarch.rpm
    MD5: 7488bc4bb5dd26f68b4cd6f5525270d4
    SHA-256: e349cd598ac9e306de312f8a3b73903b4c63b7dec77af0d301c6acfb33c04396
    Size: 1.72 MB
  25. python3-jwcrypto-0.5.0-1.1.module+el8+1717+89555bb9.noarch.rpm
    MD5: 5d7d2f312359fea755e87c4a58cbd8c7
    SHA-256: 6f0b9b2139680365dcae20e2db13bc61f3441bd4ce1629b717ea8407161d6d14
    Size: 64.42 kB
  26. python3-kdcproxy-0.4-5.module+el8+1717+89555bb9.noarch.rpm
    MD5: 64634f83e4c16bf7fc6c860a86aa99af
    SHA-256: ba6d2d5dfb4fb30d0cef7a75f2afdd3056ccbb015184db9b79c96e8baa8e0f18
    Size: 37.94 kB
  27. python3-pyusb-1.0.0-9.1.module+el8+1717+89555bb9.noarch.rpm
    MD5: 543ee0fe73583edfb3f97cb0da08b4f2
    SHA-256: 95db6fb562436f421d6bcd9e506b671b2b4eb31a85790b0def1d256190a0ef83
    Size: 86.87 kB
  28. python3-qrcode-5.1-12.module+el8+1717+89555bb9.noarch.rpm
    MD5: c96915ede289e870584c4e0f0170c60b
    SHA-256: de31d6db1e0f18d2aa30ad5c648f5ce79a189788701665aecf739189c0229bb4
    Size: 16.32 kB
  29. python3-qrcode-core-5.1-12.module+el8+1717+89555bb9.noarch.rpm
    MD5: 4a6a8f83a4917c868042e8fc403df58a
    SHA-256: 6e38691db7c100bd6ecc5cbbb34dd6456ee7afb397282df8ff845383d322ef55
    Size: 44.43 kB
  30. python3-yubico-1.3.2-9.1.module+el8+1717+89555bb9.noarch.rpm
    MD5: 5d3e4e0bb98ee7248118f59adf78c9bf
    SHA-256: 9ba2097fcf776dce398911fe035787dacd35bb11c305bcd598e3b7b39df22b24
    Size: 62.22 kB
  31. slapi-nis-0.60.0-4.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: af21abaeb11522eb81ee8022e62e872a
    SHA-256: 8a4dc02f8b1d2ead9d1c841b22f24e12c7c1a44693d7a52df677ef814c4a68f6
    Size: 159.68 kB
  32. slapi-nis-debugsource-0.60.0-4.module+el8+1717+89555bb9.ML.1.x86_64.rpm
    MD5: 4726e478161826863f74d5a5a63078e4
    SHA-256: 7985fa3c859d37b1685722231386935787a1f17a7f05561222d30c876d6b23fc
    Size: 135.21 kB
  33. softhsm-2.6.0-5.module+el8+1717+89555bb9.x86_64.rpm
    MD5: caaf1fd6d41a07dab1fd54de0ecd83fd
    SHA-256: 34669cdddaf28cbd7f410ef42b989ec9bd62dc643132b8b0f8e62a3492e43bb8
    Size: 429.88 kB
  34. softhsm-debugsource-2.6.0-5.module+el8+1717+89555bb9.x86_64.rpm
    MD5: 536129c7bcc78822e4d1b59eb6a0853b
    SHA-256: 8a640be7cf0be2570132e2496c63ae34fb12d86c10ba020be9d91791a804283c
    Size: 203.52 kB
  35. softhsm-devel-2.6.0-5.module+el8+1717+89555bb9.x86_64.rpm
    MD5: fa35bc1d182e5b0fe1a3a3f1d06420bf
    SHA-256: ea1f492dd8d026eb90d43622e114f4eaed56e705d0210e7898dce109069da72b
    Size: 20.48 kB