Bug 966804 (CVE-2013-2113)

Summary: CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin user creation due to mass assignment
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, dallan, dcleal, gsutclif, jomara, jrusnack, kseifried, markmc, mhulan, mmcallis, mmccune, rbryant, rcvalle, sclewis, security-response-team, skottler
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/2630
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 03:47:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 966823, 966825    
Bug Blocks: 966806    

Description Kurt Seifried 2013-05-24 02:41:48 UTC
Ramon de C Valle (rcvalle) reports:

There is a mass assignment vulnerability in the create method of the
UsersController controller.

The create method in app/controllers/users_controller.rb deletes the 
user-controlled user[admin] parameter from the params hash but saves it to a 
local variable and assigns it to the newly created user object bypassing the 
:attr_protected mechanism.

  def create
    admin = params[:user].delete :admin
    @user = User.new(params[:user]){|u| u.admin = admin }
    if @user.save
      @user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"
      process_success
    else
      process_error
    end
  end

Any non-admin user with permissions to create other (non-admin) users
(i.e. with Manager role) can create arbitrary admin users by sending a
specially-crafted POST request.

Comment 4 Dominic Cleal 2013-06-07 09:48:17 UTC
Upstream tracker: http://projects.theforeman.org/issues/2630

A fix has been committed:
commit bae665de387d63f93740670ec2542db90084d0eb
Author: Marek Hulan <mhulan>
Date:   Thu Jun 6 11:25:17 2013 +0200

    fixes #2630 - restrict assignment of roles to those a user has (CVE-2013-2113)

And cherry-picked to stable branches:
1.2-stable: b52383d075abe611ac18db3925a787fa4b94b33b
1.1-stable: 7eadf32c83381aadc092cded68efff04ef20e07a

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975

Comment 5 Murray McAllister 2013-06-13 07:20:19 UTC
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.

Comment 7 Kurt Seifried 2013-06-13 16:05:30 UTC
This issue is public: http://projects.theforeman.org/issues/2630

Comment 8 errata-xmlrpc 2013-06-27 16:44:58 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html