CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests
Reported to foreman-security by Michael Moll. Also reported by Jon McKenzie in a comment here: http://projects.theforeman.org/issues/5651#note-1, and possibly the same as Michael Messmore's #6677 ticket.
The smart proxy when running in an SSL-secured mode permits incoming API calls to any endpoint without requiring, or performing any verification of an SSL client certificate. This permits any client with access to the API to make requests and perform actions (permitting control of Puppet CA, DHCP, DNS etc.)
Users are strongly recommended to ensure smart proxy ports (typically 8443/tcp) are firewalled so only Foreman hosts can access the service and to set the "trusted_hosts" config setting in /etc/foreman-proxy/settings.yml to a list of Foreman hostnames for host based acccess control.
See https://groups.google.com/forum/#!topic/foreman-announce/jXC5ixybjqo for more information on mitigation.
#12 Updated by Dominic Cleal about 4 years ago
- Subject changed from Smart proxy doesn't perform verification of client SSL certificate on API requests to CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests
1.5-stable commit: https://github.com/theforeman/smart-proxy/commit/a4ecc166f7f86de63d68a66d677eff37d64c8193.patch
1.6-stable commit: https://github.com/theforeman/smart-proxy/commit/d3def6c43e24bdde105e15add2fc74b4950bba55.patch
The 1.5-stable patch should apply cleanly on 1.2 to 1.4 too.
#13 Updated by Dominic Cleal about 4 years ago
1.5.4 and 1.6.2 have been shipped: https://groups.google.com/forum/#!topic/foreman-announce/LcjZx25Bl7U