Red Hat Bugzilla – Bug 885130
CVE-2012-6137 subscription-manager: rhn-migrate-classic-to-rhsm missing SSL certificate verification
Last modified: 2017-11-06 10:49:36 EST
A security flaw was found in the way rhn-migrate-classic-to-rhsm tool of subscription-manager, a suite of tools and libraries for subscription and repository management, performed migration of system profiles, registered with Red Hat Network Classic to Customer Portal Subscription Management (certificate of Red Hat Network Classic server was not verified for validity). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to their ability to obtain user credentials, that would be used for authentication of that particular user at Red Hat Network Classic server before the system profile(s) migration.
This issue was found by Florian Weimer of Red Hat Product Security Team.
This issue affects the versions of the subscription-manager package, as shipped with Red Hat Enterprise Linux 5 and 6.
This issue (the conceptuality of upcoming change) affects the versions of the subscription-manager package, as shipped with Fedora release of 16 and 17.
Forgive me if I'm being obtuse, but could you provide a little more information on the bug? I assume you're talking about certificate verification in the connect_to_rhn() method. Does xmlrpclib not do certificate verification when a https link is passed in?
(In reply to comment #2)
> Does xmlrpclib not do certificate verification when a https link is passed in?
Correct, python xmlrpc lib does not check certificates when it's given https url.
Created attachment 704258 [details]
A fix for this issue
This has been assigned CVE-2012-6137.
Created subscription-manager tracking bugs for this issue
Affects: fedora-all [bug 960257]
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2013:0788 https://rhn.redhat.com/errata/RHSA-2013-0788.html