Bug 1024614 - (CVE-2013-4480) CVE-2013-4480 Satellite: Interface to create the initial administrator user remains open after installation
CVE-2013-4480 Satellite: Interface to create the initial administrator user r...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20131112,repor...
: Security
Depends On: 1025605 1025606 1025607 1025608 1025609
Blocks: 1024617
  Show dependency treegraph
 
Reported: 2013-10-30 01:28 EDT by David Jorm
Modified: 2014-10-20 20:05 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-12 17:27:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 539313 None None None Never
Red Hat Knowledge Base (Article) 539283 None None None Never

  None (edit)
Description David Jorm 2013-10-30 01:28:06 EDT
It was found that the web interface provided by Red Hat Satellite to create the initial administrator user was not disabled after the initial user was created. A remote attacker could use this flaw to create an administrator user with credentials they specify. This user could then be used to assume control of the Satellite server.
Comment 1 David Jorm 2013-10-30 01:31:32 EDT
Acknowledgements:

This issue was discovered by Andrew Spurrier of Red Hat.
Comment 18 errata-xmlrpc 2013-11-12 11:12:25 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2

Via RHSA-2013:1513 https://rhn.redhat.com/errata/RHSA-2013-1513.html
Comment 19 errata-xmlrpc 2013-11-12 11:24:55 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3
  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2013:1514 https://rhn.redhat.com/errata/RHSA-2013-1514.html
Comment 20 Xixi 2013-11-12 12:17:32 EST
Official Knowledgebase Article: https://access.redhat.com/site/articles/539283

KCS Solution (which references above Article): https://access.redhat.com/site/solutions/539313

Note You need to log in before you can comment on or make changes to this bug.