959524 – (CVE-2013-2056) CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authentication/authorization

Bug 959524 (CVE-2013-2056) - CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authentication/authorization

Summary: CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authenti...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-2056
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	959457 960651 960652 960653 965809
Blocks:	959526
TreeView+	depends on / blocked

Reported:	2013-05-03 16:58 UTC by Vincent Danen
Modified:	2023-05-12 22:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-06-04 19:56:47 UTC
Embargoed:

Attachments	(Terms of Use)
The patch we used to address the issue for Satellite 5.5. (1.88 KB, patch) 2013-05-09 09:05 UTC, Jan Pazdziora	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0848	0	normal	SHIPPED_LIVE	Moderate: Red Hat Network Satellite spacewalk-backend security update	2013-05-21 23:08:58 UTC

Description Vincent Danen 2013-05-03 16:58:48 UTC

It was found that Red Hat Satellite did not fully check the authenticity of a client beyond the initial authentication check.  If an attacker were to modify the satellite-sync client so as to skip the initial authentication call, it could obtain any channel content from any Satellite that it could access.

This is due to the fact that Satellite only verifies a client's authenticity during the initial /SAT check, but does not check any subsequent connections to the sync service.

Comment 5 Jan Pazdziora 2013-05-09 09:05:24 UTC

Created attachment 745586 [details]
The patch we used to address the issue for Satellite 5.5.

Comment 7 Vincent Danen 2013-05-09 14:01:31 UTC

The Inter-Satellite Sync (ISS) feature was introduced in Satellite 5.3, so this issue does not affect Satellite 5.2.

Comment 8 Murray McAllister 2013-05-13 06:51:11 UTC

Acknowledgements:

This issue was discovered by Jan Pazdziora of the Red Hat Satellite Engineering team.

Comment 9 errata-xmlrpc 2013-05-21 19:12:21 UTC

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Network Satellite Server v 5.3

Via RHSA-2013:0848 https://rhn.redhat.com/errata/RHSA-2013-0848.html

Note You need to log in before you can comment on or make changes to this bug.