Bug #7822
closedCVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests
Description
Reported to foreman-security by Michael Moll. Also reported by Jon McKenzie in a comment here: http://projects.theforeman.org/issues/5651#note-1, and possibly the same as Michael Messmore's #6677 ticket.
The smart proxy when running in an SSL-secured mode permits incoming API calls to any endpoint without requiring, or performing any verification of an SSL client certificate. This permits any client with access to the API to make requests and perform actions (permitting control of Puppet CA, DHCP, DNS etc.)
Users are strongly recommended to ensure smart proxy ports (typically 8443/tcp) are firewalled so only Foreman hosts can access the service and to set the "trusted_hosts" config setting in /etc/foreman-proxy/settings.yml to a list of Foreman hostnames for host based acccess control.
See https://groups.google.com/forum/#!topic/foreman-announce/jXC5ixybjqo for more information on mitigation.
Updated by Dominic Cleal about 10 years ago
- Project changed from Foreman to Smart Proxy
- Category changed from Security to SSL
Updated by Dominic Cleal about 10 years ago
- Has duplicate Bug #5651: The 'trusted_hosts' config key has an unintuitive (and potentially dangerous) behavior added
Updated by Dominic Cleal about 10 years ago
- Related to Feature #6677: Autosign entry additions should require authentication added
Updated by Dominic Cleal about 10 years ago
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
Updated by The Foreman Bot about 10 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/217 added
- Pull request deleted (
)
Updated by Dominic Cleal about 10 years ago
- Related to Refactor #7832: Integration test for SSL verification added
Updated by Dominic Cleal about 10 years ago
- Related to Feature #7849: trusted_hosts should determine hostname from certificate CN on SSL requests added
Updated by Dominic Cleal about 10 years ago
- Translation missing: en.field_release set to 26
Updated by Dominic Cleal about 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 52f0bacf26923826a9b112369d504972369b3cf0.
Updated by Dominic Cleal about 10 years ago
We plan on releasing updated foreman-proxy packages as part of 1.5.4 and 1.6.2.
Updated by Dominic Cleal about 10 years ago
- Subject changed from Smart proxy doesn't perform verification of client SSL certificate on API requests to CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests
1.5-stable commit: https://github.com/theforeman/smart-proxy/commit/a4ecc166f7f86de63d68a66d677eff37d64c8193.patch
1.6-stable commit: https://github.com/theforeman/smart-proxy/commit/d3def6c43e24bdde105e15add2fc74b4950bba55.patch
The 1.5-stable patch should apply cleanly on 1.2 to 1.4 too.
Updated by Dominic Cleal about 10 years ago
1.5.4 and 1.6.2 have been shipped: https://groups.google.com/forum/#!topic/foreman-announce/LcjZx25Bl7U
Updated by Dominic Cleal about 10 years ago
- Related to Bug #8301: Add a checker script for reverse DNS added