Bug #30739
closed
CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts
Added by Tomer Brisker about 4 years ago.
Updated about 4 years ago.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1873439
Description of problem:
User that are authenticated via keycload/RH SSO can claim the rights
of already existing local users
Version-Release number of selected component (if applicable):
6.7.2+
How reproducible:
Everytime
Steps to Reproduce:
1. Create user sectest (local on Satellite) with Sat admin rights and password redhat (Authorized by: INTERNAL)
2. Create user sectest (on RH SSO) with different password
3. Login to Satellite with the SSO user
Actual results:
The user sectest from SSO has full admin rights on the Satellite
Expected results:
Local users on Satellite with authorization source INTERNAL should not be able to login via SSO
Additional info:
Scenario:
- local admin user exists, example "admin"
- SSO admin creates user with the same name in SSO
- The SSO admin user can login to Satellite and has admin rights
- this is even worse as the users in SSO may be fedarated from other ldap or ADS sources
and the Satellite admins have no idea the same users exist in other directories'
- Subject changed from Users can gain elevated rights when logging in with SSO accounts
to Users can gain elevated rights when logging in with SSO accounts
- Private changed from No to Yes
- Assignee set to Rahul Bajaj
Patch/fix for review:
diff --git a/app/models/user.rb b/app/models/user.rb
index bacb31f..c75724b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -325,6 +325,9 @@ class User < ApplicationRecord
new_usergroups += auth_source.external_usergroups.includes(:usergroup).where(:name => external_groups).map(&:usergroup)
user.update(Hash[attrs.select { |k, v| v.present? }])
user.usergroups = new_usergroups.uniq
+ else
+ logger.info "Failed to create external User: Username '#{attrs[:login]}' already exists"
+ user = nil
end
user
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index a72c492..f8adcff 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -718,11 +718,11 @@ class UserTest < ActiveSupport::TestCase
not_existing_auth_source = 'new_external_source'
context "internal or not existing AuthSource" do
- test 'existing user' do
+ test 'existing user without auth source specified' do
assert_difference('User.count', 0) do
login = users(:one).login
- assert_equal User.find_or_create_external_user({:login => login}, nil),
- User.find_by_login(login)
+ user = User.find_or_create_external_user({:login => login}, nil)
+ assert user.nil?
end
end
@@ -762,6 +762,15 @@ class UserTest < ActiveSupport::TestCase
end
end
+ test 'existing user of different authsource' do
+ existing_source = AuthSourceExternal.where(:name => 'existing_source').first_or_create
+ existing_user = FactoryBot.create(:user, :auth_source => existing_source)
+ assert_difference('User.count', 0) do
+ user = User.find_or_create_external_user({:login => existing_user}, @apache_source.name)
+ assert user.nil?
+ end
+ end
+
test "not existing with attributes" do
created_user = User.find_or_create_external_user(
{:login => not_existing_user_login,
- Subject changed from Users can gain elevated rights when logging in with SSO accounts to CVE-2020-14380: Users can gain elevated rights when logging in with SSO accounts
- Private changed from Yes to No
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/7953 added
- Target version set to 2.1.3
- Fixed in Releases 2.3.0 added
- Fixed in Releases 2.0.3, 2.1.3, 2.2.0 added
- Fixed in Releases deleted (
2.3.0)
- Status changed from Ready For Testing to Closed
- Pull request https://github.com/theforeman/foreman/pull/7975 added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by