Bug 959524 – CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authentication/authorization

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 959524 - (CVE-2013-2056) CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authentication/authorization

Summary:	CVE-2013-2056 Satellite: Inter-Satellite Sync (ISS) does not require authenti...

Status:	CLOSED ERRATA

Aliases:	CVE-2013-2056

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20130521,repor...
Keywords:	Security

Depends On:	959457 960651 960652 960653 965809
Blocks:	959526
	Show dependency tree / graph

Reported:	2013-05-03 12:58 EDT by Vincent Danen
Modified:	2015-07-31 07:58 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-06-04 15:56:47 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
The patch we used to address the issue for Satellite 5.5. (1.88 KB, patch) 2013-05-09 05:05 EDT, Jan Pazdziora	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0848	normal	SHIPPED_LIVE	Moderate: Red Hat Network Satellite spacewalk-backend security update	2013-05-21 19:08:58 EDT

Groups: None (edit)

Description Vincent Danen 2013-05-03 12:58:48 EDT

It was found that Red Hat Satellite did not fully check the authenticity of a client beyond the initial authentication check.  If an attacker were to modify the satellite-sync client so as to skip the initial authentication call, it could obtain any channel content from any Satellite that it could access.

This is due to the fact that Satellite only verifies a client's authenticity during the initial /SAT check, but does not check any subsequent connections to the sync service.

Comment 5 Jan Pazdziora 2013-05-09 05:05:24 EDT

Created attachment 745586 [details]
The patch we used to address the issue for Satellite 5.5.

Comment 7 Vincent Danen 2013-05-09 10:01:31 EDT

The Inter-Satellite Sync (ISS) feature was introduced in Satellite 5.3, so this issue does not affect Satellite 5.2.

Comment 8 Murray McAllister 2013-05-13 02:51:11 EDT

Acknowledgements:

This issue was discovered by Jan Pazdziora of the Red Hat Satellite Engineering team.

Comment 9 errata-xmlrpc 2013-05-21 15:12:21 EDT

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Network Satellite Server v 5.3

Via RHSA-2013:0848 https://rhn.redhat.com/errata/RHSA-2013-0848.html

Note You need to log in before you can comment on or make changes to this bug.