Project

General

Profile

Bug #30739

CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts

Added by Tomer Brisker over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Rahul Bajaj
Category:
Security
Target version:
2.1.3
Difficulty:
Triaged:
No
Bugzilla link:
1873439
Pull request:
https://github.com/theforeman/foreman/pull/7953
Fixed in Releases:
2.0.3, 2.1.3, 2.2.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1873439
Description of problem:
User that are authenticated via keycload/RH SSO can claim the rights
of already existing local users

Version-Release number of selected component (if applicable):
6.7.2+

How reproducible:
Everytime

Steps to Reproduce:
1. Create user sectest (local on Satellite) with Sat admin rights and password redhat (Authorized by: INTERNAL)
2. Create user sectest (on RH SSO) with different password
3. Login to Satellite with the SSO user

Actual results:
The user sectest from SSO has full admin rights on the Satellite

Expected results:
Local users on Satellite with authorization source INTERNAL should not be able to login via SSO

Additional info:

Scenario:

- local admin user exists, example "admin" 
 - SSO admin creates user with the same name in SSO
 - The SSO admin user can login to Satellite and has admin rights
 - this is even worse as the users in SSO may be fedarated from other ldap or ADS sources
   and the Satellite admins have no idea the same users exist in other directories'

Associated revisions

Revision d4449890 (diff)
Added by Rahul Bajaj over 2 years ago

Fixes #30739 - User must login with the assigned auth source

History

#1 Updated by Tomer Brisker over 2 years ago

  • Private changed from No to Yes
  • Subject changed from Users can gain elevated rights when logging in with SSO accounts to Users can gain elevated rights when logging in with SSO accounts

#2 Updated by Rahul Bajaj over 2 years ago

  • Assignee set to Rahul Bajaj

#3 Updated by Rahul Bajaj over 2 years ago

Patch/fix for review:

diff --git a/app/models/user.rb b/app/models/user.rb
index bacb31f..c75724b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -325,6 +325,9 @@ class User < ApplicationRecord
         new_usergroups += auth_source.external_usergroups.includes(:usergroup).where(:name => external_groups).map(&:usergroup)
         user.update(Hash[attrs.select { |k, v| v.present? }])
         user.usergroups = new_usergroups.uniq
+      else
+        logger.info "Failed to create external User: Username '#{attrs[:login]}' already exists" 
+        user = nil
       end

       user
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index a72c492..f8adcff 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -718,11 +718,11 @@ class UserTest < ActiveSupport::TestCase
     not_existing_auth_source = 'new_external_source'

     context "internal or not existing AuthSource" do
-      test 'existing user' do
+      test 'existing user without auth source specified' do
         assert_difference('User.count', 0) do
           login = users(:one).login
-          assert_equal User.find_or_create_external_user({:login => login}, nil),
-            User.find_by_login(login)
+          user = User.find_or_create_external_user({:login => login}, nil)
+          assert user.nil?
         end
       end

@@ -762,6 +762,15 @@ class UserTest < ActiveSupport::TestCase
         end
       end

+      test 'existing user of different authsource' do
+        existing_source = AuthSourceExternal.where(:name => 'existing_source').first_or_create
+        existing_user = FactoryBot.create(:user, :auth_source => existing_source)
+        assert_difference('User.count', 0) do
+          user = User.find_or_create_external_user({:login => existing_user}, @apache_source.name)
+          assert user.nil?
+        end
+      end
+
       test "not existing with attributes" do
         created_user = User.find_or_create_external_user(
           {:login => not_existing_user_login,

#4 Updated by Tomer Brisker over 2 years ago

  • Private changed from Yes to No
  • Subject changed from Users can gain elevated rights when logging in with SSO accounts to CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts

#5 Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7953 added

#6 Updated by Tomer Brisker over 2 years ago

  • Target version set to 2.1.3

#7 Updated by The Foreman Bot over 2 years ago

  • Fixed in Releases 2.3.0 added

#8 Updated by Tomer Brisker over 2 years ago

  • Fixed in Releases 2.0.3, 2.1.3, 2.2.0 added
  • Fixed in Releases deleted (2.3.0)

#9 Updated by Rahul Bajaj over 2 years ago

  • Status changed from Ready For Testing to Closed

#10 Updated by The Foreman Bot over 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/7975 added

Also available in: Atom PDF