Bug 997639 (CVE-2013-4225)

Summary: CVE-2013-4225 Katello: proxied Candlepin calls authorization bypass
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apatters, athomas, bdunne, bkearney, cpelland, jfrey, jrafanie, jrusnack, kseifried, mmccune, obarenbo, sclewis, security-response-team, sthirugn, walden, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found where incorrect permission checks in Katello led to certain HTTP API calls being accessible without a proper certificate. An attacker could use this vulnerability to view and alter subscription information for managed systems.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:34:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 986185, 997691, 997693, 997694, 1159434    
Bug Blocks: 997692, 1000138    

Description Kurt Seifried 2013-08-15 20:50:34 UTC 
Ivan Necas (inecas) reports:

Description of problem:
Since this patch in upstream

https://github.com/Katello/katello/commit/a8c987213a3fa15bda493802a21594e2c53ad346#L2R21

the calls to katello that are directly proxied to candlepin were
skipped for proper authorization.

This are mostly the calls that are perforemed by subscription-manager from
registered systems (listing available subscriptions, subscribing, unsubscribing etc.


Version-Release number of selected component (if applicable):
All the versions containing the patch above. Should be only Sat6 MDP1 and SAM 1.3 beta

How reproducible:
Always

Steps to Reproduce:
1. subscription-manager register # against a katello instance
2. subscription-manager identity # note the uuid
3. curl -k -u admin:admin https://localhost/katello/api/consumers/{uuid}/owner

Actual results:

The user is allowed to access this url with user credentials

Expected results:

The call should be allowed only for the subscribed system with proper consumer certificate.
Comment 3 Bryan Kearney 2014-06-25 20:55:31 UTC 
This is not a bug on SAM 1.4

[root@bkearney ~]# subscription-manager register
Username: admin
Password: 
Organization: ACME_Corporation
The system has been registered with ID: e333a1fa-5b00-4682-89c7-0ff8a8ee1c91 
[root@bkearney ~]# curl -k -u admin:admin https://ibm-x3250m4-07.lab.eng.rdu2.redhat.com/sam/api/consumers/e333a1fa-5b00-4682-89c7-0ff8a8ee1c91/owner
{"displayMessage":"User admin is not allowed to access api/v1/candlepin_proxies/get","errors":["User admin is not allowed to access api/v1/candlepin_proxies/get"]}[ro