Bug 965809 - Spacewalk allows ISS more than they should
Spacewalk allows ISS more than they should
Status: CLOSED CURRENTRELEASE
Product: Spacewalk
Classification: Community
Component: Server (Show other bugs)
1.10
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Grant Gainey
Red Hat Satellite QA List
: Security, SecurityTracking
Depends On: 959457
Blocks: CVE-2013-2056 space20
  Show dependency treegraph
 
Reported: 2013-05-21 15:16 EDT by Grant Gainey
Modified: 2013-08-02 09:11 EDT (History)
6 users (show)

See Also:
Fixed In Version: spacewalk-backend-1.10.34-1
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 959457
Environment:
Last Closed: 2013-08-02 09:11:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Grant Gainey 2013-05-21 15:16:59 EDT
+++ This bug was initially created as a clone of Bug #959457 +++

Description of problem:

The backend/satellite_exporter/handlers/non_auth_dumper.py calls don't check the authenticity of the client, beyond the initial /SAT authentication.check done in backend/server/handlers/sat/auth.py. With a trivially modified satellite-sync client which skips the initial /SAT call, any client machine can get any channel content from any Satellite it can access via HTTP(S).

Version-Release number of selected component (if applicable):

Reproduced on sqpacewalk-nightly. The hole might have been there since the ISS feature was introduced.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a Satellite that does not have your client machine's IP in /etc/rhn/rhn.conf's allowed_iss_slaves.
2. In fact, to make things "extra secure", you can set disable_iss=1 too.
3. On client machine (likely another Satellite), apply the following patch to your satsync.py file:

--- /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py.orig	2013-01-10 07:12:50.000000000 -0500
+++ /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py	2013-05-03 10:17:24.000000000 -0400
@@ -454,6 +454,9 @@
                 else:
                     raise RhnSyncException, _('ERROR: this server must be registered with RHN.'), sys.exc_info()[2]
             # authorization check of the satellite
+            xmlWireSource.BaseWireSource(self.systemid, self.sslYN,
+                                                self.xml_dump_version)
+            return
             auth = xmlWireSource.AuthWireSource(self.systemid, self.sslYN,
                                                 self.xml_dump_version)
             auth.checkAuth()

4. Run satellite-sync against the "secured" Satellite: satellite-sync --step=channels --iss-parent=sputnik-prod.brq.redhat.com --no-ssl -l
  
Actual results:

10:28:23 WARNING: --list-channels option overrides any --step option. --step ignored.
10:28:23 Red Hat Network Satellite - live synchronization
10:28:23    url: http://sputnik-prod.brq.redhat.com
10:28:23    debug/output level: 1
10:28:23    db:  spaceuser/<password>@the_oracle
10:28:23 
10:28:23 Retrieving / parsing channel-families data
10:28:24 channel-families data complete
10:28:24 
10:28:24 Retrieving / parsing product names data
10:28:25 product names data complete
10:28:25 
10:28:25 Retrieving / parsing channel data
10:28:40    p = previously imported/synced channel
10:28:40    . = channel not yet imported/synced
10:28:40    e = channel no longer supported (end-of-service)
10:28:40    base-channels:
10:28:40       . clone-3-rhel-x86_64-server-5             2825       full import from Fri May  3 16:23:03 2013
10:28:40       . clone-clone-3-rhel-x86_64-server-5       2825       full import from Fri May  3 16:22:55 2013
10:28:40       . clone-rhel-x86_64-server-6               3430       full import from Fri May  3 16:23:27 2013
10:28:40       . jhutar-bz812053                             0       full import from Fri May  3 16:23:16 2013
10:28:40       . jtesar-dup-test                             1       full import from Fri May  3 16:23:10 2013
10:28:40       . jtesar-rhel-i386-server-5                10692       full import from Fri May  3 16:23:27 2013
10:28:40       . prod-clone-rhel-x86_64-client-5          1897       full import from Fri May  3 16:23:22 2013
10:28:40       . qa-clone-rhel-x86_64-client-5            10004       full import from Fri May  3 16:22:57 2013
10:28:40       . rhel-i386-client-5                       9352       full import from Fri May  3 16:23:13 2013

[...]

Expected results:

10:16:31 WARNING: --list-channels option overrides any --step option. --step ignored.
10:16:31 Red Hat Network Satellite - live synchronization
10:16:31    url: http://sputnik-prod.brq.redhat.com
10:16:31    debug/output level: 1
10:16:31 
10:16:31 
ERROR: The Server listed within iss-parent is not configured for ISS 
       capability.
       Please review your configuration before trying again.

Additional info:

We show this with -l above but I believe even syncing the content will run just fine.
Comment 1 Grant Gainey 2013-05-28 09:55:33 EDT
Fixed in commit 99771bb4759079291a852daec60a7f5afa0e40eb
Comment 2 Tomáš Kašpárek 2013-08-02 09:11:15 EDT
Fix for this bug is present in Spacewalk 2.0, closing this bug as CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.