Red Hat CloudForms was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.
External References: https://github.com/ManageIQ/manageiq/security/advisories/GHSA-84f5-5g5v-g8vr
Please refer table below for criticality: +----------------------+-------+-------+------------------+----------------+-----------------------------------------------+ | Version | OIDC | SAML | Apache | Affects | Notes | +----------------------+-------+-------+------------------+----------------+-----------------------------------------------+ | Master | X | X | httpd-2.4.37-16 | SAML | /api is protected for OIDC in Apache | | Jansa | X | X | httpd-2.4.37-16 | SAML | /api is protected for OIDC in Apache | | Ivanchuk (5.11) | X | X | httpd-2.4.6-90 | SAML | /api authenticates basic auth via OIDC in API | | Hammer (5.10) | X | X | httpd-2.4.6-89 | OIDC and SAML | Can impersonate users previously logged in | | Gaprindashvili (5.9) | ! | X | httpd-2.4.6-88 | SAML | Can impersonate users previously logged in | +----------------------+-------+-------+------------------+----------------+-----------------------------------------------+
Statement: The vulnerability and related criticality depends on the product releases and protocols. In CloudForms 5.11, attacker need to be authenticated through OIDC but SAML do not need any authentication for exploitation. However, for CloudForms 5.10, both SAML and OIDC protocols does not need authentication and attacker can impersonate users previously logged in. Red Hat does not support CloudForms 5.9 and earlier releases, however, confirms vulnerability affects SAML protocol but not OIDC. Reference metrics: https://bugzilla.redhat.com/show_bug.cgi?id=1855739#c3
Acknowledgments: Name: Alberto Bellotti (Red Hat)
Mitigation: Red Hat recommends upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be: 1. Stop httpd service $ systemctl stop httpd 2. Add following additional unset at `/etc/httpd/conf.d/manageiq-remote-user-openidc.conf` and `/etc/httpd/conf.d/manageiq-remote-user.conf`, right before `X_REMOTE_USER` unset. ~~~ RequestHeader unset X-REMOTE-USER RequestHeader unset X-REMOTE_USER RequestHeader unset X_REMOTE-USER ~~~ 3. Validate configuration files to make sure all syntax is valid $ apachectl configtest 4. Restart httpd service $ systemctl start httpd
This issue has been addressed in the following products: CloudForms Management Engine 5.11 Via RHSA-2020:3358 https://access.redhat.com/errata/RHSA-2020:3358
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14325
This issue has been addressed in the following products: CloudForms Management Engine 5.10 Via RHSA-2020:3574 https://access.redhat.com/errata/RHSA-2020:3574