Bug 959524 (CVE-2013-2056)

Summary: CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authentication/authorization
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cperry, jpazdziora, jrusnack, meissner, sclewis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-04 19:56:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 959457, 960651, 960652, 960653, 965809    
Bug Blocks: 959526    
Attachments:
Description Flags
The patch we used to address the issue for Satellite 5.5. none

Description Vincent Danen 2013-05-03 16:58:48 UTC
It was found that Red Hat Satellite did not fully check the authenticity of a client beyond the initial authentication check.  If an attacker were to modify the satellite-sync client so as to skip the initial authentication call, it could obtain any channel content from any Satellite that it could access.

This is due to the fact that Satellite only verifies a client's authenticity during the initial /SAT check, but does not check any subsequent connections to the sync service.

Comment 5 Jan Pazdziora (Red Hat) 2013-05-09 09:05:24 UTC
Created attachment 745586 [details]
The patch we used to address the issue for Satellite 5.5.

Comment 7 Vincent Danen 2013-05-09 14:01:31 UTC
The Inter-Satellite Sync (ISS) feature was introduced in Satellite 5.3, so this issue does not affect Satellite 5.2.

Comment 8 Murray McAllister 2013-05-13 06:51:11 UTC
Acknowledgements:

This issue was discovered by Jan Pazdziora of the Red Hat Satellite Engineering team.

Comment 9 errata-xmlrpc 2013-05-21 19:12:21 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Network Satellite Server v 5.3

Via RHSA-2013:0848 https://rhn.redhat.com/errata/RHSA-2013-0848.html