Project

General

Profile

Actions

Bug #2121

closed

Unauthenticated YAML fact and reports importers can be exploited

Added by Dominic Cleal about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

The Rails vulnerability CVE-2013-0156 has made us realise there's a very similar issue in Foreman itself where it parses untrusted YAML input.

The facts and reports importers are used by puppetmasters to send YAML to Foreman, which is imported straight from Puppet and without any
authentication (since the puppetmaster has no credentials). An attacker can use this YAML loading to exploit Foreman.

We're proposing to lock this down so that only hosts with registered smart proxies on (with the Puppet feature) are able to upload data.

In addition, we would recommend (and implement in foreman-installer) enabling optional client SSL cert verification in mod_ssl, then enforce
the smart proxy check using the client certificate's CN. The report and ENC scripts would change to use the puppetmaster's SSL cert during HTTPS calls to Foreman.

Both the host check and the enhanced HTTPS check would have settings so they can be disabled. They'd be enabled by default in 1.1, but if
there's demand for a backport to 1.0 then they'd be disabled for compatibility.

This would also address the issue raised by Andreas Rogge (thank you for the report) where ENC output, including hashed root passwords, is
accessible to any host: #2069

In the meantime, if you're concerned about the security of your Foreman host then you could restrict access via Apache, if you use it. e.g.

<Location ~ "/(fact_values|reports)/create">
  Order Deny,Allow
  Deny from all
  Allow from puppetmaster.example.net
</Location>

(from http://groups.google.com/group/foreman-users/browse_thread/thread/fe39ca595e1f03db)


Related issues 4 (1 open3 closed)

Related to Foreman - Bug #2069: (encrypted) root passwords are world readableClosedDominic Cleal10/07/2009Actions
Related to Foreman - Bug #2151: Issues with SSL verification of proxiesClosedDominic Cleal01/22/2013Actions
Related to Foreman - Feature #2153: Add trusted_hosts for puppetmaster interfaces, bypass proxy requirementClosedDominic Cleal01/24/2013Actions
Related to Foreman - Feature #5914: Allow a host to upload its own facts and reports - Support masterless PuppetNew05/23/2014Actions
Actions #1

Updated by Dominic Cleal about 11 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
Actions #2

Updated by Dominic Cleal about 11 years ago

  • Status changed from Assigned to Ready For Testing

Two PRs submitted:

https://github.com/theforeman/foreman/pull/373 restricts access to the puppetmaster interfaces to prevent unauthed imports (CVE-2013-0171)
https://github.com/theforeman/puppet-foreman/pull/34 to support restricted access

(linked to #2069)

Actions #3

Updated by Dominic Cleal about 11 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #4

Updated by Dominic Cleal about 11 years ago

For users updating and hitting this change, please see the following documentation:

We appreciate it's a difficult change, but is necessary to improve the security of the application. If you have problems, do check the troubleshooting text in the manual, and do contact one of the Support channels.

Actions #5

Updated by Dominic Cleal over 9 years ago

  • Related to Feature #5914: Allow a host to upload its own facts and reports - Support masterless Puppet added
Actions

Also available in: Atom PDF