Updated rhpki-common packages that fix security issues are now available for Red Hat Certificate System 7.3. This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Red Hat Certificate System (RHCS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. It was discovered that Red Hat Certificate System used insecure default file permissions on certain configuration files (for example, password.conf) that may contain authentication credentials. These credentials should only be accessible to administrative and service users. A local user could use this flaw to read Red Hat Certificate System configuration files containing sensitive information. (CVE-2008-2367) It was discovered that Red Hat Certificate System stored plain text passwords in multiple debug log files with insufficient access restrictions (for example, the UserDirEnrollment log and the RA wizard installer log). A local user could use this flaw to extract plain text passwords from the Red Hat Certificate System debug log files. (CVE-2008-2368) It was discovered that the Token Processing System (TPS) component of the Red Hat Certificate System did not properly verify the challenge response received during the enrollment of a new security token. An attacker with access to a blank token known to the TPS component and with privileges to perform new token enrollments could use this flaw to complete the enrollment procedure with a software-generated key instead of the key stored in the hardware token. (CVE-2008-5082) These updated packages fix the following bugs: * The end-entities enrollment pages have been updated to support the certenroll.dll library used on Microsoft Vista, so Internet Explorer can be used on to enroll certificates on Vista. * The password used by the LDAP publisher was improperly stored in the CA configuration. This essentially required that the LDAP publishing password had to be the same as the internal database (LDAP directory) password, or LDAP publishing would break. A new parameter was added to the CA CS.cfg file to define an LDAP publishing password parameter in the CA's password.conf file. * The secure ports used by subsystem interfaces - the administrative console, agent pages, and end-entities pages - are, by default, the same. It is possible with this errata to run those services on separate port, which provides additional protection by prohibiting agents and users from accessing the same TCP port and web services directory. * The certificate policies extension was not processed by CMSServlet. * Any IP Address defined in a certificate's SubjectAltName parameter was improperly coded as an 8-byte number, with the last 4 bytes trailing zeros (00 00 00 00). * The subject name uniqueness plug-in in the CA profiles, which enforces unique names for all active certificates, would reject a certificate request which reused a subject name even if the previous certificate had been revoked or expired. * The TPS dependences have been changed from MozLDAP5 to MozLDAP6. All users of Red Hat Certificate System 7.3 should upgrade to these updated packages, which resolves these issues.