CVE-2021-3698 – CVE-2021-3698 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2021-3698?

CVE-2021-3698 has a CVSS score of 7.5 (HIGH). CVE-2021-3698 is an authentication bypass vulnerability in Cockpit's SSSD certificate verification. It allows client certificates to authenticate successfully even when they should be rejected due to CRL configuration or revoked status. This affects Cockpit versions prior to 260 on systems using SSSD with certificate authentication.

📋 TL;DR

CVE-2021-3698 is an authentication bypass vulnerability in Cockpit's SSSD certificate verification. It allows client certificates to authenticate successfully even when they should be rejected due to CRL configuration or revoked status. This affects Cockpit versions prior to 260 on systems using SSSD with certificate authentication.

💻 Affected Systems

Products:

Cockpit

Versions: All versions prior to 260

Operating Systems: Linux distributions using Cockpit with SSSD

Default Config Vulnerable: ✅ No

Notes: Only affects systems where Cockpit is configured to use SSSD with certificate authentication and CRL checking is enabled.

📦 What is this software?

Cockpit by Cockpit Project

View all CVEs affecting Cockpit →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain access to Cockpit administrative interface with valid but revoked certificates, potentially leading to full system compromise and data exfiltration.

🟠

Likely Case

Attackers with previously valid certificates that have been revoked can maintain persistent access to Cockpit-managed systems.

🟢

If Mitigated

If certificate revocation checking is disabled or not configured, the vulnerability has minimal additional impact beyond normal certificate authentication risks.

🌐 Internet-Facing: MEDIUM - Cockpit is typically not exposed to the internet, but if it is, this allows bypass of certificate revocation controls.

🏢 Internal Only: MEDIUM - Internal attackers with revoked certificates could maintain unauthorized access to managed systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires a valid client certificate that has been revoked or should be rejected based on CRL configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cockpit 260 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1992149

Restart Required: Yes

Instructions:

1. Update Cockpit to version 260 or later using your distribution's package manager. 2. Restart the Cockpit service: 'systemctl restart cockpit.socket cockpit.service'. 3. Verify the update with 'cockpit-bridge --version'.

🔧 Temporary Workarounds

Disable certificate authentication

linux

Temporarily disable certificate-based authentication in Cockpit until patching is possible.

Modify /etc/cockpit/cockpit.conf to remove or comment out certificate authentication settings

Disable CRL checking in SSSD

linux

If CRL checking is not required, disable it in SSSD configuration to mitigate the bypass.

Set 'ldap_tls_crl_check' to 'never' in /etc/sssd/sssd.conf and restart SSSD: 'systemctl restart sssd'

🧯 If You Can't Patch

Restrict network access to Cockpit to trusted IP ranges only
Implement additional authentication factors beyond certificate authentication

🔍 How to Verify

Check if Vulnerable:

Check Cockpit version with 'cockpit-bridge --version' or 'rpm -q cockpit' and verify if below 260. Also check if SSSD certificate authentication is configured.

Check Version:

cockpit-bridge --version || rpm -q cockpit || dpkg -l cockpit

Verify Fix Applied:

Verify Cockpit version is 260 or higher with 'cockpit-bridge --version'. Test authentication with a revoked certificate to ensure it's properly rejected.

📡 Detection & Monitoring

Log Indicators:

Successful authentication events in /var/log/cockpit/cockpit.log with certificates that should be revoked
SSSD authentication logs showing certificate verification bypass

Network Indicators:

Authentication attempts to Cockpit web interface (typically port 9090) with certificate authentication

SIEM Query:

source="cockpit.log" AND "authentication" AND "certificate" AND status="success" | join [search source="sssd.log" AND "certificate" AND "revoked"]

📊 Metadata

CVE ID: CVE-2021-3698

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-295

Published: March 10, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1992149 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1992149 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3698, you might also want to check these: