Bug 1943630 (CVE-2021-3469)

Summary: CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, btotty, hhudgeon, lzap, mmccune, nmoumoul, pcreech, rchan, rjerrido, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman 2.3.4, foreman 2.4.0 Doc Type: ---
Doc Text:
Foreman is affected by an improper authorization handling flaw. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate authority (CA) to sign certificate requests that have subject alternative names (SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to `false` unless user change `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration explicitly.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-26 17:35:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1941406, 1943633    

Description Yadnyawalk Tale 2021-03-26 16:53:44 UTC
The SmartProxyAuth of the Foreman allows controllers to authenticate certain requests based on the client certificate. As Puppet CA will consider subject alternative names (SANs) from a certificate along with Common name (CN); Puppet CA will sign the certificate with SANs pointing at DNS names of the already existing certificate. An attacker can obtain a new certificate by crafting Certificate Signing Request (CSR) made up with CN & SSNs and can able to impersonation foreman-proxy to accept the request.

Comment 1 Yadnyawalk Tale 2021-03-26 16:53:51 UTC
Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project

Comment 2 Yadnyawalk Tale 2021-03-26 16:53:54 UTC
Statement:

Red Hat Satellite is not affected by the flaw as the product required the Puppet CA as the primary trusted CA which does not allow to sign certificate requests that have subject alternative names by default.

Comment 3 Yadnyawalk Tale 2021-03-26 16:53:58 UTC
Mitigation:

To mitigate the flaw, users are advised to set `allow-authorization-extensions` to the `false` in `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration file.

Comment 5 Product Security DevOps Team 2021-03-26 17:35:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3469