Bug 1939701 (CVE-2021-20290)

Summary: CVE-2021-20290 smart_proxy_openscap: Clients can perform reserved actions on Foreman Server through OpenSCAP plugin for smart-proxy
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, egolov, hhudgeon, lzap, nmoumoul, pcreech, rchan, rjerrido, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: smart_proxy_openscap 0.9.1 Doc Type: If docs needed, set a value
Doc Text:
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939709    
Bug Blocks: 1937277, 1945042    

Description Yadnyawalk Tale 2021-03-16 20:50:13 UTC 
On Foreman, OpenSCAP plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server. OpenSCAP plugin and a Client system that has Puppet installed with certs signed by Puppet CA or a Foreman with a client system that has a consumer certificate from the Katello CA; attacker can use this Client's certs to access the OpenSCAP API and perform actions which are only reserved for a Foreman server.
Comment 1 Yadnyawalk Tale 2021-03-16 20:50:21 UTC 
Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project
Comment 2 Yadnyawalk Tale 2021-03-16 20:50:24 UTC 
Mitigation:

To mitigate the flaw, disable smart_proxy_openscap plugin from the Server. You can do that either by editing `/etc/foreman-proxy/settings.d/openscap.yml` and restarting `systemctl restart foreman-proxy.service`, or by running `foreman-installer --no-enable-foreman-proxy-plugin-openscap` command.
Comment 6 Yadnyawalk Tale 2021-03-18 19:36:15 UTC 
Statement:

Red Hat Satellite 6 ship smart_proxy_openscap plugin which is affected by the flaw. The highest threat from this vulnerability is to integrity and system availability.
Comment 7 Lukas Zapletal 2021-04-06 14:32:52 UTC 
Upstream patch: https://github.com/theforeman/smart_proxy_openscap/pull/80

(Pending review)