Bug #15653
closed
CVE-2016-5390 - access to API host interfaces, parameters etc. are not restricted by view_hosts filters
Description
Non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host.
The filter is only correctly used when accessing the main host details (/api/v2/hosts/secrethost). Access to the "nested" routes, which includes interfaces, reports, parameters, audits, facts and Puppet classes, is not authorized beyond requiring any view_hosts permission.
Affects Foreman 1.10.0 and higher.
Reported by Daniel Lobato Garcia, Nacho Barrientos and Steve Traylen to foreman-security@googlegroups.com.
CVE identifier will be requested.
Updated by Dominic Cleal over 8 years ago
- Related to Bug #8343: API resource_scope ignores options added
Updated by Dominic Cleal over 8 years ago
Further details from Daniel's report:
I dug into this, and here's the problem:
- https://github.com/theforeman/foreman/blob/1.12.0/app/controllers/concerns/find_common.rb#L37
is called from:
https://github.com/theforeman/foreman/blob/1.12.0/app/controllers/api/base_controller.rb#L302
because we have to get the 'parent scope' (the parent scope for the
'Interfaces' resource, is 'Host')
- scope_for is called so we get the list of hosts, scoped by permissions
- on line 42 we make this check 'resource.respond_to?(:authorized)',
which is called upon Host, therefore `Host.respond_to? :authorized`.
That returns false, because Host is a module, not a class. The class
that would return true to that would be Host::Base. We're aware
of this issue and we overcome it like this
https://github.com/theforeman/foreman/blob/1.12.0/app/models/host.rb#L21
I've changed the regex to be /(\Afind_by_(.*)\Z)|(\Aauthorized\Z)/ and
that fixes the problem. Notice this check would fail for any
/api/v2/hosts/:id/WHATEVER_RESOURCE , so audits, smart_class_parameters,
reports/last, smart_variables, facts can be affected too.
The change seems to have been introduced by #8343, as in 1.9-stable, the controller would always use an .authorized scope to find nested objects (i.e. the host of an interfaces call): https://github.com/theforeman/foreman/blob/1.9-stable/app/controllers/api/base_controller.rb#L215-L223. Since then, it checks that the parent resource responds to .authorized, as noted above.
Updated by Dominic Cleal over 8 years ago
My suggestion for a fix is to improve the extract_resource_from_param/resource_class_for methods to return Host::Managed rather than the Host module, which means the authorisation and or methods will always be against the correct object. Changing the behaviour of Host might lead to more subtle bugs.
Updated by Dominic Cleal over 8 years ago
- Subject changed from Access to API host interfaces, parameters etc. are not restricted by view_hosts filters to CVE-2016-5390 - access to API host interfaces, parameters etc. are not restricted by view_hosts filters
Updated by The Foreman Bot over 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3644 added
Updated by Daniel Lobato Garcia over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 7a86dcfe6b36dd43cd6163ce70599e53f09cc217.
Updated by Dominic Cleal over 8 years ago
- Related to Bug #16219: Association named 'hostgroup' was not found on Nic::Base added