CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.

CVSS v3 5.4 MEDIUM
CVSS v2.0 4.9 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:P

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://support.primekey.com/news/posts/51	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:primekey:ejbca:*:*:*:*:enterprise:*:*:*

History

No history.

Information

Published : 2021-08-25 02:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-40088

Mitre link : CVE-2021-40088

CVE.ORG link : CVE-2021-40088

JSON object : View

Products Affected

primekey

ejbca

CWE

CWE-862

Missing Authorization

{"id": "CVE-2021-40088", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2021-08-25T02:15:08.230", "references": [{"url": "https://support.primekey.com/news/posts/51", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant."}, {"lang": "es", "value": "Se ha detectado un problema en PrimeKey EJBCA versiones anteriores a 7.6.0. El modo CMP RA puede ser configurado para usar un certificado de cliente conocido para autenticar a los clientes que se inscriben. El mismo certificado de cliente RA es usado tambi\u00e9n para las peticiones de revocaci\u00f3n. Mientras que la inscripci\u00f3n refuerza las restricciones de tenencia m\u00faltiple (al verificar que el certificado del cliente tiene acceso a la CA y a los Perfiles contra los que se est\u00e1 inscribiendo), esta comprobaci\u00f3n no se llevaba a cabo cuando se autenticaban las operaciones de revocaci\u00f3n, permitiendo a un tenedor conocido revocar un certificado perteneciente a otro tenedor."}], "lastModified": "2021-09-07T14:17:56.557", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:primekey:ejbca:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "69AD9042-C5D5-4D8D-8243-072E5D69E223", "versionEndExcluding": "7.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}