Bug 1943630 (CVE-2021-3469) - CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman
Summary: CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman
Alias: CVE-2021-3469
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1941406 1943633
TreeView+ depends on / blocked
Reported: 2021-03-26 16:53 UTC by Yadnyawalk Tale
Modified: 2021-12-14 18:47 UTC (History)
12 users (show)

Fixed In Version: foreman 2.3.4, foreman 2.4.0
Doc Type: ---
Doc Text:
Foreman is affected by an improper authorization handling flaw. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate authority (CA) to sign certificate requests that have subject alternative names (SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to `false` unless user change `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration explicitly.
Clone Of:
Last Closed: 2021-03-26 17:35:27 UTC

Attachments (Terms of Use)

Description Yadnyawalk Tale 2021-03-26 16:53:44 UTC
The SmartProxyAuth of the Foreman allows controllers to authenticate certain requests based on the client certificate. As Puppet CA will consider subject alternative names (SANs) from a certificate along with Common name (CN); Puppet CA will sign the certificate with SANs pointing at DNS names of the already existing certificate. An attacker can obtain a new certificate by crafting Certificate Signing Request (CSR) made up with CN & SSNs and can able to impersonation foreman-proxy to accept the request.

Comment 1 Yadnyawalk Tale 2021-03-26 16:53:51 UTC

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project

Comment 2 Yadnyawalk Tale 2021-03-26 16:53:54 UTC

Red Hat Satellite is not affected by the flaw as the product required the Puppet CA as the primary trusted CA which does not allow to sign certificate requests that have subject alternative names by default.

Comment 3 Yadnyawalk Tale 2021-03-26 16:53:58 UTC

To mitigate the flaw, users are advised to set `allow-authorization-extensions` to the `false` in `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration file.

Comment 5 Product Security DevOps Team 2021-03-26 17:35:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.