Bug 1873131 (CVE-2020-14371)
| Summary: | CVE-2020-14371 Satellite: Compute resource credential leak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Yadnyawalk Tale <ytale> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, btotty, hhudgeon, lzap, mmccune, mrichter, nmoumoul, rchan, rjerrido, sokeeffe |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A credential leak vulnerability was found in Red Hat Satellite. This flaw exposes the compute resources credentials through VMs that are running on these resources in Satellite.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-27 11:32:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1872333 | ||
| Bug Blocks: | 1872454 | ||
|
Description
Yadnyawalk Tale
2020-08-27 13:04:09 UTC
Acknowledgments: Name: Evgeni Golov (Red Hat) * Frequently Asked Questions for CVE-2020-14371: Q: What is the impact of the flaw? A: It is a moderate severity flaw and difficult to exploit in general. Please refer following classification for more information on severity: https://access.redhat.com/security/updates/classification Q: What type of flaw is this? A: Plaintext password (credential) leak via JSON. In the CWE world this is known for CWE-200. Q: How does this flaw work? A: Authenticated attacker of Satellite can acquire credentials of compute resources by inspecting VMs that are running on these resources. Q: Does an attacker need to have an account on Red Hat Satellite to exploit this? A: Yes, attacker need to have an account in Red Hat Satellite. Q: How do attacker choose to exploit this? A: They could exploit this through API endpoint, when authenticated attacker hit "https://hostname.com/api/redacted_path/redacted_path/redacted_path" endpoint (can't disclose this redacted_path) it will return JSON which have the credentials of the compute resource "client" used to manage this host on it. Q: Which components from Satellite are affected by this? A: Reporter only reported this issue against oVirt/RHV and users with host_view permissions, however, we are still investigating which other components are affected by this. Q: What should be the expected result? A: Users with host_view permissions privileges should never see the credentials of a compute resource client. Q: Which version of Satellite is affected? A: Flaw reported against Satellite 6.6.3 with oVirt/RHV compute resource, however we believe that Satellite 6.7 is also affected Q: How can I fix this vulnerability? Is there any workaround? A: Fixes are not released yet, there is no workaround found at the moment. Q: Current status. A: Engineering currently discussing on fix and cause of this vulnerability. Statement: Red Hat Satellite is vulnerable to the compute resource credential leak through VMs that are running on these resources in Satellite. Red Hat Product Security has rated this flaw as having a security impact of Moderate. Please refer to https://access.redhat.com/security/updates/classification for clarification on the scoring. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14371 |