Bug 1855739 (CVE-2020-14325)

Summary: CVE-2020-14325 CloudForms: User Impersonation in the API for OIDC and SAML
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: akarol, btotty, cbudzilo, dmetzger, gmccullo, gtanzill, jfrey, jhardy, obarenbo, roliveri, security-response-team, simaishi, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cfme 5.11.7.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-06 19:28:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1855754, 1855755    
Bug Blocks: 1855715    

Description Yadnyawalk Tale 2020-07-10 11:33:37 UTC 
Red Hat CloudForms was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.
Comment 1 Yadnyawalk Tale 2020-07-10 11:33:43 UTC 
External References:

https://github.com/ManageIQ/manageiq/security/advisories/GHSA-84f5-5g5v-g8vr
Comment 3 Yadnyawalk Tale 2020-07-10 12:02:59 UTC 
Please refer table below for criticality:

+----------------------+-------+-------+------------------+----------------+-----------------------------------------------+
|       Version        | OIDC  | SAML  |     Apache       |    Affects     |                     Notes                     |
+----------------------+-------+-------+------------------+----------------+-----------------------------------------------+
| Master               | X     | X     | httpd-2.4.37-16  | SAML           | /api is protected for OIDC in Apache          |
| Jansa                | X     | X     | httpd-2.4.37-16  | SAML           | /api is protected for OIDC in Apache          |
| Ivanchuk (5.11)      | X     | X     | httpd-2.4.6-90   | SAML           | /api authenticates basic auth via OIDC in API |
| Hammer (5.10)        | X     | X     | httpd-2.4.6-89   | OIDC and SAML  | Can impersonate users previously logged in    |
| Gaprindashvili (5.9) | !     | X     | httpd-2.4.6-88   | SAML           | Can impersonate users previously logged in    |
+----------------------+-------+-------+------------------+----------------+-----------------------------------------------+
Comment 4 Yadnyawalk Tale 2020-07-10 12:05:12 UTC 
Statement:

The vulnerability and related criticality depends on the product releases and protocols. 
In CloudForms 5.11, attacker need to be authenticated through OIDC but SAML do not need any authentication for exploitation. However, for CloudForms 5.10, both SAML and OIDC protocols does not need authentication and attacker can impersonate users previously logged in.

Red Hat does not support CloudForms 5.9 and earlier releases, however, confirms vulnerability affects SAML protocol but not OIDC.
Reference metrics: https://bugzilla.redhat.com/show_bug.cgi?id=1855739#c3
Comment 7 Yadnyawalk Tale 2020-07-13 10:48:02 UTC 
Acknowledgments:

Name: Alberto Bellotti (Red Hat)
Comment 8 Yadnyawalk Tale 2020-07-13 10:48:06 UTC 
Mitigation:

Red Hat recommends upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be:

1. Stop httpd service
$ systemctl stop httpd

2. Add following additional unset at `/etc/httpd/conf.d/manageiq-remote-user-openidc.conf` and `/etc/httpd/conf.d/manageiq-remote-user.conf`, right before `X_REMOTE_USER` unset. 
~~~
RequestHeader unset X-REMOTE-USER
RequestHeader unset X-REMOTE_USER
RequestHeader unset X_REMOTE-USER
~~~

3. Validate configuration files to make sure all syntax is valid
$ apachectl configtest

4. Restart httpd service
$ systemctl start httpd
Comment 10 errata-xmlrpc 2020-08-06 14:32:47 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.11

Via RHSA-2020:3358 https://access.redhat.com/errata/RHSA-2020:3358
Comment 11 Product Security DevOps Team 2020-08-06 19:28:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14325
Comment 13 errata-xmlrpc 2020-08-27 16:01:44 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2020:3574 https://access.redhat.com/errata/RHSA-2020:3574