Bug 1439622 (CVE-2017-7470) - CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks
Summary: CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin o...
Alias: CVE-2017-7470
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Lukáš Hellebrandt
Depends On: 1442130 1442131
Blocks: 1439624
TreeView+ depends on / blocked
Reported: 2017-04-06 10:35 UTC by Adam Mariš
Modified: 2019-09-29 14:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py.
Clone Of:
Last Closed: 2017-12-21 13:29:09 UTC

Attachments (Terms of Use)
Proposed patch (501 bytes, patch)
2017-04-06 10:36 UTC, Adam Mariš
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1259 normal SHIPPED_LIVE Moderate: spacewalk-backend security update 2017-05-19 02:00:03 UTC

Description Adam Mariš 2017-04-06 10:35:52 UTC
It was found that spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks due to incorrect authorization check in backend/server/rhnChannel.py.

Comment 1 Adam Mariš 2017-04-06 10:36:46 UTC
Created attachment 1269322 [details]
Proposed patch

Comment 4 Adam Mariš 2017-04-06 13:51:55 UTC

Name: Bert Stel (SUSE)

Comment 5 Michael Mráka 2017-04-10 10:09:11 UTC
Hello Adam,

the proposed patch does not seem to fix anything. If you have a reproducer will  you mind to share it with us?

Comment 6 Marcus Meissner 2017-04-10 11:23:18 UTC
The reason given to me by our maintainer is:

the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead.

can you contact our developer
Can Bulut Bayburt ( can.bulut.bayburt@suse.com )
for more information?

Comment 7 Michael Mráka 2017-04-12 07:55:51 UTC
Steps to Reproduce:
1. install Satellite / Spacewalk server
2. create Admin user
3. create system group Group1
4. create User1, standard (non-admin) user, make it Group1 administrator
5. create User2, standard (non-admin) user
6. create User3, admin user, and disable it
7. register a system into Satellite / Spacewalk and add it to Group1
8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3

Actual results:
all user can add/remove channels

Expected results:
only Admin and User1 can manipulate channels

Additional info:
All users, group and server belong to the same org

Comment 9 Kurt Seifried 2017-04-12 17:47:49 UTC

This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Marcus Meissner 2017-04-13 09:22:12 UTC
does this mean you are not going to assign a CVE?

Comment 12 Michael Mráka 2017-04-20 10:35:35 UTC
Has been an embargo date decided already?

Comment 15 errata-xmlrpc 2017-05-18 22:00:33 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.7
  Red Hat Satellite 5.6

Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259

Note You need to log in before you can comment on or make changes to this bug.