Summary: Authorized RCE in Red Hat Satellite via rubyipmi gem used in the BMC component Requirements to exploit: Satellite with the BMC component enabled, using ipmitool as the IPMI implementation. The attacker needs permissions to create (or update) existing hosts in Satellite, but not to manage Satellite. Component affected: https://github.com/logicminds/rubyipmi Version affected: <= 0.12.1 Patch available: yes Version fixed (if any already): none yet CVSS (optional): I don't believe in CVSS Impact (optional): moderate Embargo: no Reason: one needs a specific setup and privileges in it to be able to exploit Suggested public date: dd-MMM-yyyy (It is important to note that an embargo may be lifted before there is a fix if necessary) Acknowledgement: <Name> <Company> of the reporter and if they want to be acknowledged Steps to reproduce if available: deploy Foreman/Satellite with --foreman-proxy-bmc true create a host with a BMC interface and use "admin; touch /var/log/foreman-proxy/hacked" as the username for the BMC (requires host create/edit permissions, but not admin) refresh the host in the UI for Foreman to fetch the BMC status see /var/log/foreman-proxy/hacked was created Mitigation if available: use freeipmi or apply patch