1873131 – (CVE-2020-14371) CVE-2020-14371 Satellite: Compute resource credential leak

Bug 1873131 (CVE-2020-14371) - CVE-2020-14371 Satellite: Compute resource credential leak

Summary: CVE-2020-14371 Satellite: Compute resource credential leak

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-14371
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1872333
Blocks:	1872454
TreeView+	depends on / blocked

Reported:	2020-08-27 13:04 UTC by Yadnyawalk Tale
Modified:	2021-12-14 18:47 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A credential leak vulnerability was found in Red Hat Satellite. This flaw exposes the compute resources credentials through VMs that are running on these resources in Satellite.
Clone Of:
Environment:
Last Closed:	2021-05-27 11:32:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Yadnyawalk Tale 2020-08-27 13:04:09 UTC

A credential leak vulnerability was identified on Red Hat Satellite which will expose compute resources credential through VMs that are running on these resources in Satellite.

Comment 4 Guilherme de Almeida Suckevicz 2020-08-27 17:35:50 UTC

Acknowledgments:

Name: Evgeni Golov (Red Hat)

Comment 11 Yadnyawalk Tale 2020-08-31 15:55:11 UTC

* Frequently Asked Questions for CVE-2020-14371:

Q: What is the impact of the flaw?
A: It is a moderate severity flaw and difficult to exploit in general. Please refer following classification for more information on severity: https://access.redhat.com/security/updates/classification

Q: What type of flaw is this?
A: Plaintext password (credential) leak via JSON. In the CWE world this is known for CWE-200.

Q: How does this flaw work?
A: Authenticated attacker of Satellite can acquire credentials of compute resources by inspecting VMs that are running on these resources.

Q: Does an attacker need to have an account on Red Hat Satellite to exploit this?
A: Yes, attacker need to have an account in Red Hat Satellite.

Q: How do attacker choose to exploit this?
A: They could exploit this through API endpoint, when authenticated attacker hit "https://hostname.com/api/redacted_path/redacted_path/redacted_path" endpoint (can't disclose this redacted_path) it will return JSON which have the credentials of the compute resource "client" used to manage this host on it.

Q: Which components from Satellite are affected by this?
A: Reporter only reported this issue against oVirt/RHV and users with host_view permissions, however, we are still investigating which other components are affected by this.

Q: What should be the expected result?
A: Users with host_view permissions privileges should never see the credentials of a compute resource client.

Q: Which version of Satellite is affected?
A: Flaw reported against Satellite 6.6.3 with oVirt/RHV compute resource, however we believe that Satellite 6.7 is also affected

Q: How can I fix this vulnerability? Is there any workaround?
A: Fixes are not released yet, there is no workaround found at the moment.

Q: Current status.
A: Engineering currently discussing on fix and cause of this vulnerability.

Comment 12 RaTasha Tillery-Smith 2020-09-01 14:21:54 UTC

Statement:

Red Hat Satellite is vulnerable to the compute resource credential leak through VMs that are running on these resources in Satellite. Red Hat Product Security has rated this flaw as having a security impact of Moderate. Please refer to https://access.redhat.com/security/updates/classification for clarification on the scoring.

Comment 14 Product Security DevOps Team 2021-05-27 11:32:02 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14371

Note You need to log in before you can comment on or make changes to this bug.