Bug 1702604 (CVE-2019-10137)

Summary: CVE-2019-10137 spacewalk-proxy: Path traversal in proxy authentication cache
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bkearney, cbuissar, mmraka, rdrazny, security-response-team, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A path traversal flaw was found in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:07:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1710280    
Bug Blocks: 1702605    
Attachments:
Description Flags
make sure file is created inside CACHEDIR none

Description Marian Rehak 2019-04-24 08:49:52 UTC 
Untrusted user input in the 'X-RHN-Server-ID' header flows through these functions to be directly used as part of a path name, if CFG.USE_LOCAL_AUTH is true:

__checkAuthSessionTokenCache -> update_client_token_if_valid -> set_client_token -> AuthLocalBackend.__setitem__ (_compute_key) -> _fname -> cleanupPath

With the resulting path, files are read, written, truncated, deleted, and directories created.
Comment 2 Marian Rehak 2019-04-24 08:54:32 UTC 
Acknowledgments:

Name: Malte Kraus (SUSE)
Comment 3 Marian Rehak 2019-04-24 09:55:39 UTC 
Discovered in private SUSE fork based on version spacewalk 2.8, but upstream master looks to be equally affected.
Comment 7 Cedric Buissart 2019-05-14 10:15:27 UTC 
The attack does not require authentication.

* The attack can be used to force the Proxy into reading files outside of the dedicated token directory. However, unless the said file is specially crafted, this will result in an error and the file content will not be revealed to the attacker.

* Considering the parent Satellite trusted, the attack can not be used to force writing data outside of the token directory, nor writing arbitrary data

* The attack can be used to test the existence of files in the proxy's filesystem (the error differs whether the token file exists or not)

* If the attacker has the ability to write arbitrary data on an arbitrary location, the flaw could be used to execute code on the proxy server, in the context of the proxy service, during the unserialization of the token file.
Comment 11 Cedric Buissart 2019-06-12 14:06:29 UTC 
Mitigation:

SELinux in enforcing mode will prevent the proxy to access files that have an incompatible SELinux context
Comment 12 errata-xmlrpc 2019-07-02 13:57:35 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Proxy v 5.8

Via RHSA-2019:1663 https://access.redhat.com/errata/RHSA-2019:1663
Comment 13 Cedric Buissart 2019-07-03 09:01:32 UTC 
Created attachment 1586994 [details]
make sure file is created inside CACHEDIR
Comment 14 Product Security DevOps Team 2019-07-12 13:07:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10137