Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1067623 - (CVE-2014-0087) CVE-2014-0087 CFME: check_privileges logic error resulting in privilege escalation
CVE-2014-0087 CFME: check_privileges logic error resulting in privilege escal...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150204,repo...
: Security
Depends On: 1067631 1067632
Blocks: 1067677
  Show dependency treegraph
 
Reported: 2014-02-20 13:36 EST by Kurt Seifried
Modified: 2015-02-18 19:58 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-18 19:58:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2014-02-20 13:36:13 EST 
Jan Rusnacko of the Red Hat Product Security Team reports:

CFME contains an authorization bypass issue in the action rbac_user_edit,
which allows authenticated users with minimal privileges to gain access to 
additional privileges.

The problem is in the method check_privileges in vmdb/app/controllers/application_controller.rb:

  def check_generic_rbac
    ident = "#{controller_name}_#{action_name}"

    if MiqProductFeature.feature_exists?(ident)
      passed = role_allows(:feature => ident, :any => true)
      unless passed
        if request.xml_http_request?
          render :update do |page|
            page.redirect_to :controller => 'dashboard', :action => 'auth_error'
          end
        else
          redirect_to(:controller => 'dashboard', :action => 'auth_error')
        end
      end
      passed
    else
      validate_route(controller_name, request.env['REQUEST_METHOD'], action_name)
    end
  end


Since there is no else branch for the "if MiqProductFeature.feature_exists?(ident)", any feature that is missing from the list of known features, will be allowed by default. One of 
these such features is ops_rbac_user_edit.

This is the same exact place in code that is causing CVE-2014-0078, however, the
fix for this issue solves only CVE-2014-0078, not the problem itself. After the 
fix is applied, privileges for x_button are checked, but other actions like 
rbac_user_edit are allowed by default.
Comment 1 Kurt Seifried 2014-02-20 13:52:30 EST 
Acknowledgements:

This issue was discovered by Jan Rusnacko of the Red Hat Product Security Team.
Comment 13 Martin Povolny 2015-02-05 03:33:45 EST 
I have created a hardening ticket for this here: https://github.com/ManageIQ/manageiq/issues/1581

Because this has become a hardening issue rather than a security bug.
Comment 24 Kurt Seifried 2015-02-18 19:58:20 EST 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.3

Via RHSA-2015:0028 https://rhn.redhat.com/errata/RHSA-2015-0028.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.