1439622 – (CVE-2017-7470) CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks

Bug 1439622 (CVE-2017-7470) - CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks

Summary: CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-7470
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:	Lukáš Hellebrandt
Docs Contact:
URL:
Whiteboard:
Depends On:	1442130 1442131
Blocks:	1439624
TreeView+	depends on / blocked

Reported:	2017-04-06 10:35 UTC by Adam Mariš
Modified:	2021-02-17 02:22 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-12-21 13:29:09 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed patch (501 bytes, patch) 2017-04-06 10:36 UTC, Adam Mariš	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1259	0	normal	SHIPPED_LIVE	Moderate: spacewalk-backend security update	2017-05-19 02:00:03 UTC

Description Adam Mariš 2017-04-06 10:35:52 UTC

It was found that spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks due to incorrect authorization check in backend/server/rhnChannel.py.

Comment 1 Adam Mariš 2017-04-06 10:36:46 UTC

Created attachment 1269322 [details]
Proposed patch

Comment 4 Adam Mariš 2017-04-06 13:51:55 UTC

Acknowledgments:

Name: Bert Stel (SUSE)

Comment 5 Michael Mráka 2017-04-10 10:09:11 UTC

Hello Adam,

the proposed patch does not seem to fix anything. If you have a reproducer will  you mind to share it with us?

Comment 6 Marcus Meissner 2017-04-10 11:23:18 UTC

The reason given to me by our maintainer is:

the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead.

can you contact our developer
Can Bulut Bayburt ( can.bulut.bayburt )
 
for more information?

Comment 7 Michael Mráka 2017-04-12 07:55:51 UTC

Steps to Reproduce:
1. install Satellite / Spacewalk server
2. create Admin user
3. create system group Group1
4. create User1, standard (non-admin) user, make it Group1 administrator
5. create User2, standard (non-admin) user
6. create User3, admin user, and disable it
7. register a system into Satellite / Spacewalk and add it to Group1
8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3

Actual results:
all user can add/remove channels

Expected results:
only Admin and User1 can manipulate channels

Additional info:
All users, group and server belong to the same org

Comment 9 Kurt Seifried 2017-04-12 17:47:49 UTC

Statement:

This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Marcus Meissner 2017-04-13 09:22:12 UTC

does this mean you are not going to assign a CVE?

Comment 12 Michael Mráka 2017-04-20 10:35:35 UTC

Has been an embargo date decided already?

Comment 15 errata-xmlrpc 2017-05-18 22:00:33 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.7
  Red Hat Satellite 5.6

Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259

Note You need to log in before you can comment on or make changes to this bug.