Bug #7822

CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests

Added by Dominic Cleal almost 2 years ago. Updated almost 2 years ago.

Status:Closed
Priority:Urgent
Assigned To:Dominic Cleal
Category:SSL
Target version:Foreman - Sprint 30
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/smart-proxy/pull/217
Story points-
Velocity based estimate-
Release1.5.4Release relationshipAuto

Description

Reported to foreman-security by Michael Moll. Also reported by Jon McKenzie in a comment here: http://projects.theforeman.org/issues/5651#note-1, and possibly the same as Michael Messmore's #6677 ticket.

The smart proxy when running in an SSL-secured mode permits incoming API calls to any endpoint without requiring, or performing any verification of an SSL client certificate. This permits any client with access to the API to make requests and perform actions (permitting control of Puppet CA, DHCP, DNS etc.)

Users are strongly recommended to ensure smart proxy ports (typically 8443/tcp) are firewalled so only Foreman hosts can access the service and to set the "trusted_hosts" config setting in /etc/foreman-proxy/settings.yml to a list of Foreman hostnames for host based acccess control.

See https://groups.google.com/forum/#!topic/foreman-announce/jXC5ixybjqo for more information on mitigation.


Related issues

Related to Smart-Proxy - Feature #6677: Autosign entry additions should require authentication Resolved 07/17/2014
Related to Smart-Proxy - Refactor #7832: Integration test for SSL verification Ready For Testing 10/07/2014
Related to Smart-Proxy - Feature #7849: trusted_hosts should determine hostname from certificate ... Closed 10/08/2014
Related to Installer - Bug #8301: Add a checker script for reverse DNS New 11/06/2014
Duplicated by Smart-Proxy - Bug #5651: The 'trusted_hosts' config key has an unintuitive (and po... Duplicate 05/09/2014

Associated revisions

Revision 52f0bacf
Added by Dominic Cleal almost 2 years ago

fixes #7822 - forbid HTTPS requests with no client SSL certificate

History

#1 Updated by Dominic Cleal almost 2 years ago

  • Project changed from Foreman to Smart-Proxy
  • Category changed from Security to SSL

#2 Updated by Dominic Cleal almost 2 years ago

  • Duplicated by Bug #5651: The 'trusted_hosts' config key has an unintuitive (and potentially dangerous) behavior added

#3 Updated by Dominic Cleal almost 2 years ago

  • Related to Feature #6677: Autosign entry additions should require authentication added

#4 Updated by Dominic Cleal almost 2 years ago

  • Status changed from New to Assigned
  • Assigned To set to Dominic Cleal

#5 Updated by The Foreman Bot almost 2 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/217 added

#6 Updated by Dominic Cleal almost 2 years ago

  • Related to Refactor #7832: Integration test for SSL verification added

#7 Updated by Dominic Cleal almost 2 years ago

  • Related to Feature #7849: trusted_hosts should determine hostname from certificate CN on SSL requests added

#8 Updated by Dominic Cleal almost 2 years ago

  • Description updated (diff)

#9 Updated by Dominic Cleal almost 2 years ago

  • Release set to 1.5.4

#10 Updated by Dominic Cleal almost 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#11 Updated by Dominic Cleal almost 2 years ago

We plan on releasing updated foreman-proxy packages as part of 1.5.4 and 1.6.2.

#12 Updated by Dominic Cleal almost 2 years ago

  • Subject changed from Smart proxy doesn't perform verification of client SSL certificate on API requests to CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests

#14 Updated by Dominic Cleal almost 2 years ago

  • Related to Bug #8301: Add a checker script for reverse DNS added

Also available in: Atom PDF