Project

General

Profile

Bug #11579

CVE-2015-5233 - reports show/destroy not restricted by host authorization

Added by Dominic Cleal over 3 years ago. Updated 5 months ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Foreman 1.5.0 or higher are vulnerable to an authorization issue that allows users to view and delete reports for hosts that they don't have access to.

Reports (from tools such as Puppet) are stored in Foreman and associated to the host they came from. Users can be granted permissions to view and/or destroy reports, and also separate permissions to view certain hosts. The UI and API only list reports where the user has permission to view both reports and the host it was from.

The security issue is that both the show and destroy actions for viewing and deleting individual reports do not limit access to the hosts that the user has permission to view. A user with permission to view or destroy reports can do so for any host if they know the ID, or can easily view the last report for a given host.

Thanks to Daniel Lobato Garcia of Red Hat for reporting this to .

Associated revisions

Revision 293036df (diff)
Added by Daniel Lobato Garcia over 3 years ago

Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)

ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.

I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.

Revision d213e460 (diff)
Added by Daniel Lobato Garcia over 3 years ago

Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)

ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.

I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.

(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)

Revision be0b9bee (diff)
Added by Daniel Lobato Garcia about 3 years ago

Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)

ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.

I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.

(cherry picked from commit 293036dfa71ae70624663647f1ef70798bf53d3e)

History

#1 Updated by Dominic Cleal over 3 years ago

It looks like this extends to both the regular #show and #destroy behaviour on the UI and API controllers, which would allow somebody with *_reports permission but not the associated host to view or destroy a report.

I think the vulnerable locations are:

1. ReportsController#show, #destroy - allowing viewing and deletion of reports for users with the appropriate *_reports permission but not the appropriate view_hosts permission. (Not just "last".)

2. API ReportsController#show, #destroy - ditto, but I think the #last method is safe as it uses Report.my_reports.

The authorisation here is complex and two-fold, as it's both using .authorized and .my_reports to limit based on both reports and host permissions (inc taxonomies).

#2 Updated by Dominic Cleal over 3 years ago

  • Description updated (diff)

#3 Updated by Daniel Lobato Garcia over 3 years ago

  • Assignee set to Daniel Lobato Garcia

#4 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2644 added
  • Pull request deleted ()

#5 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 72 to 84

#6 Updated by Daniel Lobato Garcia over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Bryan Kearney about 3 years ago

  • Bugzilla link set to 1263741

Also available in: Atom PDF