Bug 966804 (CVE-2013-2113) - CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin user creation due to mass assignment
Summary: CVE-2013-2113 Foreman: app/controllers/users_controller.rb arbitrary admin us...
Status: CLOSED ERRATA
Alias: CVE-2013-2113
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://projects.theforeman.org/issues...
Whiteboard: impact=moderate,public=20130607,repor...
Keywords: Security
Depends On: 966823 966825
Blocks: 966806
TreeView+ depends on / blocked
 
Reported: 2013-05-24 02:41 UTC by Kurt Seifried
Modified: 2016-04-26 20:28 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-16 03:47:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0995 normal SHIPPED_LIVE Important: Foreman security and bug fix update 2013-06-27 20:43:49 UTC

Description Kurt Seifried 2013-05-24 02:41:48 UTC
Ramon de C Valle (rcvalle@redhat.com) reports:

There is a mass assignment vulnerability in the create method of the
UsersController controller.

The create method in app/controllers/users_controller.rb deletes the 
user-controlled user[admin] parameter from the params hash but saves it to a 
local variable and assigns it to the newly created user object bypassing the 
:attr_protected mechanism.

  def create
    admin = params[:user].delete :admin
    @user = User.new(params[:user]){|u| u.admin = admin }
    if @user.save
      @user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"
      process_success
    else
      process_error
    end
  end

Any non-admin user with permissions to create other (non-admin) users
(i.e. with Manager role) can create arbitrary admin users by sending a
specially-crafted POST request.

Comment 4 Dominic Cleal 2013-06-07 09:48:17 UTC
Upstream tracker: http://projects.theforeman.org/issues/2630

A fix has been committed:
commit bae665de387d63f93740670ec2542db90084d0eb
Author: Marek Hulan <mhulan@redhat.com>
Date:   Thu Jun 6 11:25:17 2013 +0200

    fixes #2630 - restrict assignment of roles to those a user has (CVE-2013-2113)

And cherry-picked to stable branches:
1.2-stable: b52383d075abe611ac18db3925a787fa4b94b33b
1.1-stable: 7eadf32c83381aadc092cded68efff04ef20e07a

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975

Comment 5 Murray McAllister 2013-06-13 07:20:19 UTC
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.

Comment 7 Kurt Seifried 2013-06-13 16:05:30 UTC
This issue is public: http://projects.theforeman.org/issues/2630

Comment 8 errata-xmlrpc 2013-06-27 16:44:58 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html


Note You need to log in before you can comment on or make changes to this bug.