A credential leak vulnerability was identified on Red Hat Satellite which will expose compute resources credential through VMs that are running on these resources in Satellite.
Acknowledgments: Name: Evgeni Golov (Red Hat)
* Frequently Asked Questions for CVE-2020-14371: Q: What is the impact of the flaw? A: It is a moderate severity flaw and difficult to exploit in general. Please refer following classification for more information on severity: https://access.redhat.com/security/updates/classification Q: What type of flaw is this? A: Plaintext password (credential) leak via JSON. In the CWE world this is known for CWE-200. Q: How does this flaw work? A: Authenticated attacker of Satellite can acquire credentials of compute resources by inspecting VMs that are running on these resources. Q: Does an attacker need to have an account on Red Hat Satellite to exploit this? A: Yes, attacker need to have an account in Red Hat Satellite. Q: How do attacker choose to exploit this? A: They could exploit this through API endpoint, when authenticated attacker hit "https://hostname.com/api/redacted_path/redacted_path/redacted_path" endpoint (can't disclose this redacted_path) it will return JSON which have the credentials of the compute resource "client" used to manage this host on it. Q: Which components from Satellite are affected by this? A: Reporter only reported this issue against oVirt/RHV and users with host_view permissions, however, we are still investigating which other components are affected by this. Q: What should be the expected result? A: Users with host_view permissions privileges should never see the credentials of a compute resource client. Q: Which version of Satellite is affected? A: Flaw reported against Satellite 6.6.3 with oVirt/RHV compute resource, however we believe that Satellite 6.7 is also affected Q: How can I fix this vulnerability? Is there any workaround? A: Fixes are not released yet, there is no workaround found at the moment. Q: Current status. A: Engineering currently discussing on fix and cause of this vulnerability.
Statement: Red Hat Satellite is vulnerable to the compute resource credential leak through VMs that are running on these resources in Satellite. Red Hat Product Security has rated this flaw as having a security impact of Moderate. Please refer to https://access.redhat.com/security/updates/classification for clarification on the scoring.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14371