Unauthenticated YAML fact and reports importers can be exploited
The Rails vulnerability CVE-2013-0156 has made us realise there's a very similar issue in Foreman itself where it parses untrusted YAML input.
The facts and reports importers are used by puppetmasters to send YAML to Foreman, which is imported straight from Puppet and without any
authentication (since the puppetmaster has no credentials). An attacker can use this YAML loading to exploit Foreman.
We're proposing to lock this down so that only hosts with registered smart proxies on (with the Puppet feature) are able to upload data.
In addition, we would recommend (and implement in foreman-installer) enabling optional client SSL cert verification in mod_ssl, then enforce
the smart proxy check using the client certificate's CN. The report and ENC scripts would change to use the puppetmaster's SSL cert during HTTPS calls to Foreman.
Both the host check and the enhanced HTTPS check would have settings so they can be disabled. They'd be enabled by default in 1.1, but if
there's demand for a backport to 1.0 then they'd be disabled for compatibility.
This would also address the issue raised by Andreas Rogge (thank you for the report) where ENC output, including hashed root passwords, is
accessible to any host: #2069
In the meantime, if you're concerned about the security of your Foreman host then you could restrict access via Apache, if you use it. e.g.
<Location ~ "/(fact_values|reports)/create"> Order Deny,Allow Deny from all Allow from puppetmaster.example.net </Location>
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.
#2 Updated by Dominic Cleal over 6 years ago
- Status changed from Assigned to Ready For Testing
Two PRs submitted:
https://github.com/theforeman/foreman/pull/373 restricts access to the puppetmaster interfaces to prevent unauthed imports (CVE-2013-0171)
https://github.com/theforeman/puppet-foreman/pull/34 to support restricted access
(linked to #2069)
#4 Updated by Dominic Cleal over 6 years ago
For users updating and hitting this change, please see the following documentation:
We appreciate it's a difficult change, but is necessary to improve the security of the application. If you have problems, do check the troubleshooting text in the manual, and do contact one of the Support channels.