Bug 1969265 (CVE-2021-3589)

Summary: CVE-2021-3589 foreman_ansible: authenticated user can access host through job_template
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, ehelms, jsherril, lzap, mhulan, nmoumoul, orabin, pcreech, rchan, rjerrido, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969271    
Bug Blocks: 1935692, 1969837    

Description Yadnyawalk Tale 2021-06-08 05:49:44 UTC 
An attacker with elevated privileges can utilize Ansible functions to carry out actions as the Foreman-proxy user on the system. The prerequisite for this is that the hosts must have already been added to Foreman, and the attacker must have access to one of these hosts. If the attacker already has access to the system, they are deemed trustworthy with a high level of privilege.
Comment 3 Yadnyawalk Tale 2021-06-08 11:11:33 UTC 
Looke like foreman_ansible introduced REX and job_templates in foreman_ansible-2.0.0 onward.
https://github.com/theforeman/foreman_ansible/commit/a5e0827bc3ec6c8ab82f968907857a15646305d5
Comment 6 Yadnyawalk Tale 2023-02-08 09:34:52 UTC 
The complexity of performing this attack is not within the attacker's control and privilege required evaluated is high. 

The administrator of Foreman must grant the attacker administrative-equivalent privileges to create or modify job templates (PR:H). However, even if the attacker has the necessary access, they still need to have at least two host machines deployed and added to Foreman, and have access to the first host to gain access to the second in order to achieve remote code execution on the machine (AC:H).