Bug 1333405

Summary: CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: Foreman ProxyAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2.0CC: abaron, aortega, apevec, ayoung, bbuckingham, bkearney, cbillett, chrisw, jschluet, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, satellite6-bugs, sclewis, security-response-team, srevivo, sthirugn, tbrisker, tdecacqu, tjay, tlestach
Target Milestone: UnspecifiedKeywords: Security, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/14931
Whiteboard: impact=moderate,public=20160505,reported=20160505,source=upstream,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,cwe=CWE-20,rhn_satellite_6/foreman=new,openstack-foreman/foreman=new,openstack-6-installer/foreman=new
Fixed In Version: foreman-proxy-1.11.0.4-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: CVE-2016-3728 Environment:
Last Closed: 2016-07-27 11:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1333378    

Comment 1 Bryan Kearney 2016-05-05 14:17:46 UTC 
Upstream bug component is Capsule
Comment 3 Bryan Kearney 2016-05-05 16:18:44 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/14931 has been closed
Comment 5 Tomer Brisker 2016-05-23 08:02:49 UTC 
Verified on Snap 12. 
Attempting to access a non existent variant leads to 403 Forbidden with relevant message:

[root@sat-test-rhel7 foreman]# curl -g http://127.0.0.1:8000/tftp/ls/aa:bb:cc:dd:ee:ff -v
* About to connect() to 127.0.0.1 port 8000 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> GET /tftp/ls/aa:bb:cc:dd:ee:ff HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8000
> Accept: */*
> 
< HTTP/1.1 403 Forbidden 
< Content-Type: application/json;charset=utf-8
< Content-Length: 36
< X-Content-Type-Options: nosniff
< Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e
< Date: Mon, 23 May 2016 08:01:10 GMT
< Connection: Keep-Alive
< 
* Connection #0 to host 127.0.0.1 left intact
Unrecognized pxeboot config type: ls
Comment 6 Bryan Kearney 2016-07-27 11:33:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501