Project

General

Profile

Actions

Bug #7822

closed

CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests

Added by Dominic Cleal about 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
SSL
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Reported to foreman-security by Michael Moll. Also reported by Jon McKenzie in a comment here: http://projects.theforeman.org/issues/5651#note-1, and possibly the same as Michael Messmore's #6677 ticket.

The smart proxy when running in an SSL-secured mode permits incoming API calls to any endpoint without requiring, or performing any verification of an SSL client certificate. This permits any client with access to the API to make requests and perform actions (permitting control of Puppet CA, DHCP, DNS etc.)

Users are strongly recommended to ensure smart proxy ports (typically 8443/tcp) are firewalled so only Foreman hosts can access the service and to set the "trusted_hosts" config setting in /etc/foreman-proxy/settings.yml to a list of Foreman hostnames for host based acccess control.

See https://groups.google.com/forum/#!topic/foreman-announce/jXC5ixybjqo for more information on mitigation.


Related issues 5 (0 open5 closed)

Related to Smart Proxy - Feature #6677: Autosign entry additions should require authenticationResolved07/17/2014Actions
Related to Smart Proxy - Refactor #7832: Integration test for SSL verificationClosedDominic Cleal10/07/2014Actions
Related to Smart Proxy - Feature #7849: trusted_hosts should determine hostname from certificate CN on SSL requestsClosed10/08/2014Actions
Related to Installer - Bug #8301: Add a checker script for reverse DNSClosedChris Roberts11/06/2014Actions
Has duplicate Smart Proxy - Bug #5651: The 'trusted_hosts' config key has an unintuitive (and potentially dangerous) behaviorDuplicate05/09/2014Actions
Actions

Also available in: Atom PDF