Jan Rusnacko of the Red Hat Product Security Team reports:
CFME contains an authorization bypass issue in the action rbac_user_edit,
which allows authenticated users with minimal privileges to gain access to
additional privileges.
The problem is in the method check_privileges in vmdb/app/controllers/application_controller.rb:
def check_generic_rbac
ident = "#{controller_name}_#{action_name}"
if MiqProductFeature.feature_exists?(ident)
passed = role_allows(:feature => ident, :any => true)
unless passed
if request.xml_http_request?
render :update do |page|
page.redirect_to :controller => 'dashboard', :action => 'auth_error'
end
else
redirect_to(:controller => 'dashboard', :action => 'auth_error')
end
end
passed
else
validate_route(controller_name, request.env['REQUEST_METHOD'], action_name)
end
end
Since there is no else branch for the "if MiqProductFeature.feature_exists?(ident)", any feature that is missing from the list of known features, will be allowed by default. One of
these such features is ops_rbac_user_edit.
This is the same exact place in code that is causing CVE-2014-0078, however, the
fix for this issue solves only CVE-2014-0078, not the problem itself. After the
fix is applied, privileges for x_button are checked, but other actions like
rbac_user_edit are allowed by default.