Bug 1269588 (CVE-2015-7544) - CVE-2015-7544 redhat-support-plugin-rhev: Remote code execution by SuperUser role on hosts in RHEV
Summary: CVE-2015-7544 redhat-support-plugin-rhev: Remote code execution by SuperUser ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7544
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1313073 1313074
Blocks: 1269590
TreeView+ depends on / blocked
 
Reported: 2015-10-07 15:59 UTC by Adam Mariš
Modified: 2021-02-17 04:52 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that redhat-support-plugin-rhev passed a user-specified path and file name directly to the command line in the log viewer component. This could allow users with the SuperUser role on any Entity to execute arbitrary commands on any host in the RHEV environment.
Clone Of:
Environment:
Last Closed: 2016-03-09 21:45:04 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0426 0 normal SHIPPED_LIVE Important: redhat-support-plugin-rhev security, bug fix and enhancement update 2016-03-10 01:20:37 UTC

Description Adam Mariš 2015-10-07 15:59:03 UTC
Alexander Wels of Red Hat reported vulnerability allowing anybody possessing SuperUser role on any Entity to remotely execute arbitrary code as root on any host in RHEV environment. The vulnerability is in the feature that allows to view logs that reside on the hosts from inside the UI by selecting the log from the UI. It happens as following:

/* http request to /redhat-support-plugin-
rhev/logs?path=<path+filename>&machine=<name of machine selected>/
/* servlet handles the request, and passes the <path+filename> to an ssh client
class./
/* The ssh client connects to the selected machine and executes as root/
/ 'stat - c %s ' + <path+filename>/

Nowhere in this sequence is the <path+filename> checked or validated. The only validation that happens is that the session associated with the request has the 'SuperUser' role. It doesn't matter what entity the role is on, it just has to have that role on any entity in the RHEV system. With fairly simple url parameter manipulation, an arbitrary code can be executed as root on any host in the RHEV system. Note that SuperUser on an Entity != ROOT on the hosts.

Comment 2 Kurt Seifried 2015-12-07 18:27:34 UTC
Workaround:

Removing the log viewer plugin will prevent exploitation of this issue.

Comment 4 errata-xmlrpc 2016-03-09 20:23:20 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.6

Via RHSA-2016:0426 https://rhn.redhat.com/errata/RHSA-2016-0426.html

Comment 6 Kurt Seifried 2016-03-21 15:05:17 UTC
This functionality was added in  commit b1db7cc89ac3da23c72dc97844f8be26f54973d2 on Fri Apr 18 09:32:12 2014 which was introduced in RHEV 3.4, and then removed in RHEV 3.6.

Comment 7 Adam Mariš 2016-03-21 15:34:11 UTC
Acknowledgments:

Name: Alexander Wels (Red Hat)


Note You need to log in before you can comment on or make changes to this bug.