CVE-2021-3551
📋 TL;DR
CVE-2021-3551 is a credential exposure vulnerability in Dogtag PKI-server where the spkispawn command, when run in debug mode, stores admin credentials in installation log files. This allows local attackers to read these logs and obtain admin passwords, potentially gaining administrative privileges to the Dogtag Certificate Authority manager. Systems running Dogtag PKI-server with debug mode enabled are affected.
💻 Affected Systems
- Dogtag PKI-server
📦 What is this software?
Dogtagpki by Dogtagpki
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
Fedora by Fedoraproject
Linux by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains administrative control over Dogtag CA, allowing certificate issuance/revocation, system configuration changes, and potential compromise of the entire PKI infrastructure.
Likely Case
Local user with file read access obtains admin credentials and gains unauthorized administrative access to the CA manager.
If Mitigated
Attackers cannot access log files due to proper file permissions, or debug mode is disabled preventing credential logging.
🎯 Exploit Status
Exploitation requires local access and ability to read installation log files; trivial for users with appropriate file permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Dogtag PKI-server 10.11.3 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1959971
Restart Required: Yes
Instructions:
1. Update Dogtag PKI-server to version 10.11.3 or later. 2. Restart the PKI-server service. 3. Remove any existing installation log files containing credentials.
🔧 Temporary Workarounds
Disable debug mode and secure log files
linuxPrevent credential logging by disabling debug mode and restrict access to existing log files
chmod 600 /var/log/pki/installation/*.log
chown root:root /var/log/pki/installation/*.log
🧯 If You Can't Patch
- Ensure installation log files have restrictive permissions (600) and are owned by root
- Audit and remove any existing log files containing credentials from previous installations
🔍 How to Verify
Check if Vulnerable:
Check if Dogtag PKI-server version is below 10.11.3 and review installation logs for credential exposureCheck Version:
pki-server --versionVerify Fix Applied:
Verify Dogtag PKI-server version is 10.11.3 or later and check that debug mode is not enabled during operations📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to installation log files
- Admin credential strings appearing in log analysis
Network Indicators:
- Unusual administrative activity from non-admin users
SIEM Query:
source="/var/log/pki/installation/" AND (event="read" OR event="access") AND user!="root"