Project

General

Profile

Actions

Bug #30739

closed

CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts

Added by Tomer Brisker about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1873439
Description of problem:
User that are authenticated via keycload/RH SSO can claim the rights
of already existing local users

Version-Release number of selected component (if applicable):
6.7.2+

How reproducible:
Everytime

Steps to Reproduce:
1. Create user sectest (local on Satellite) with Sat admin rights and password redhat (Authorized by: INTERNAL)
2. Create user sectest (on RH SSO) with different password
3. Login to Satellite with the SSO user

Actual results:
The user sectest from SSO has full admin rights on the Satellite

Expected results:
Local users on Satellite with authorization source INTERNAL should not be able to login via SSO

Additional info:

Scenario:

- local admin user exists, example "admin" 
- SSO admin creates user with the same name in SSO
- The SSO admin user can login to Satellite and has admin rights
- this is even worse as the users in SSO may be fedarated from other ldap or ADS sources
and the Satellite admins have no idea the same users exist in other directories'
Actions #1

Updated by Tomer Brisker about 4 years ago

  • Subject changed from Users can gain elevated rights when logging in with SSO accounts to Users can gain elevated rights when logging in with SSO accounts
  • Private changed from No to Yes
Actions #2

Updated by Rahul Bajaj about 4 years ago

  • Assignee set to Rahul Bajaj
Actions #3

Updated by Rahul Bajaj about 4 years ago

Patch/fix for review:

diff --git a/app/models/user.rb b/app/models/user.rb
index bacb31f..c75724b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -325,6 +325,9 @@ class User < ApplicationRecord
         new_usergroups += auth_source.external_usergroups.includes(:usergroup).where(:name => external_groups).map(&:usergroup)
         user.update(Hash[attrs.select { |k, v| v.present? }])
         user.usergroups = new_usergroups.uniq
+      else
+        logger.info "Failed to create external User: Username '#{attrs[:login]}' already exists" 
+        user = nil
       end

       user
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index a72c492..f8adcff 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -718,11 +718,11 @@ class UserTest < ActiveSupport::TestCase
     not_existing_auth_source = 'new_external_source'

     context "internal or not existing AuthSource" do
-      test 'existing user' do
+      test 'existing user without auth source specified' do
         assert_difference('User.count', 0) do
           login = users(:one).login
-          assert_equal User.find_or_create_external_user({:login => login}, nil),
-            User.find_by_login(login)
+          user = User.find_or_create_external_user({:login => login}, nil)
+          assert user.nil?
         end
       end

@@ -762,6 +762,15 @@ class UserTest < ActiveSupport::TestCase
         end
       end

+      test 'existing user of different authsource' do
+        existing_source = AuthSourceExternal.where(:name => 'existing_source').first_or_create
+        existing_user = FactoryBot.create(:user, :auth_source => existing_source)
+        assert_difference('User.count', 0) do
+          user = User.find_or_create_external_user({:login => existing_user}, @apache_source.name)
+          assert user.nil?
+        end
+      end
+
       test "not existing with attributes" do
         created_user = User.find_or_create_external_user(
           {:login => not_existing_user_login,

Actions #4

Updated by Tomer Brisker about 4 years ago

  • Subject changed from Users can gain elevated rights when logging in with SSO accounts to CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts
  • Private changed from Yes to No
Actions #5

Updated by The Foreman Bot about 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7953 added
Actions #6

Updated by Tomer Brisker about 4 years ago

  • Target version set to 2.1.3
Actions #7

Updated by The Foreman Bot about 4 years ago

  • Fixed in Releases 2.3.0 added
Actions #8

Updated by Tomer Brisker about 4 years ago

  • Fixed in Releases 2.0.3, 2.1.3, 2.2.0 added
  • Fixed in Releases deleted (2.3.0)
Actions #9

Updated by Rahul Bajaj about 4 years ago

  • Status changed from Ready For Testing to Closed
Actions #10

Updated by The Foreman Bot about 4 years ago

  • Pull request https://github.com/theforeman/foreman/pull/7975 added
Actions

Also available in: Atom PDF