Bug 1702604 (CVE-2019-10137) - CVE-2019-10137 spacewalk-proxy: Path traversal in proxy authentication cache
Summary: CVE-2019-10137 spacewalk-proxy: Path traversal in proxy authentication cache
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10137
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190701,repo...
Depends On: 1710280
Blocks: 1702605
TreeView+ depends on / blocked
 
Reported: 2019-04-24 08:49 UTC by Marian Rehak
Modified: 2019-07-12 13:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A path traversal flaw was found in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:07:05 UTC


Attachments (Terms of Use)
make sure file is created inside CACHEDIR (991 bytes, patch)
2019-07-03 09:01 UTC, Cedric Buissart 🐶
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1663 None None None 2019-07-02 13:57:36 UTC

Description Marian Rehak 2019-04-24 08:49:52 UTC
Untrusted user input in the 'X-RHN-Server-ID' header flows through these functions to be directly used as part of a path name, if CFG.USE_LOCAL_AUTH is true:

__checkAuthSessionTokenCache -> update_client_token_if_valid -> set_client_token -> AuthLocalBackend.__setitem__ (_compute_key) -> _fname -> cleanupPath

With the resulting path, files are read, written, truncated, deleted, and directories created.

Comment 2 Marian Rehak 2019-04-24 08:54:32 UTC
Acknowledgments:

Name: Malte Kraus (SUSE)

Comment 3 Marian Rehak 2019-04-24 09:55:39 UTC
Discovered in private SUSE fork based on version spacewalk 2.8, but upstream master looks to be equally affected.

Comment 7 Cedric Buissart 🐶 2019-05-14 10:15:27 UTC
The attack does not require authentication.

* The attack can be used to force the Proxy into reading files outside of the dedicated token directory. However, unless the said file is specially crafted, this will result in an error and the file content will not be revealed to the attacker.

* Considering the parent Satellite trusted, the attack can not be used to force writing data outside of the token directory, nor writing arbitrary data

* The attack can be used to test the existence of files in the proxy's filesystem (the error differs whether the token file exists or not)

* If the attacker has the ability to write arbitrary data on an arbitrary location, the flaw could be used to execute code on the proxy server, in the context of the proxy service, during the unserialization of the token file.

Comment 11 Cedric Buissart 🐶 2019-06-12 14:06:29 UTC
Mitigation:

SELinux in enforcing mode will prevent the proxy to access files that have an incompatible SELinux context

Comment 12 errata-xmlrpc 2019-07-02 13:57:35 UTC
This issue has been addressed in the following products:

  Red Hat Satellite Proxy v 5.8

Via RHSA-2019:1663 https://access.redhat.com/errata/RHSA-2019:1663

Comment 13 Cedric Buissart 🐶 2019-07-03 09:01:32 UTC
Created attachment 1586994 [details]
make sure file is created inside CACHEDIR

Comment 14 Product Security DevOps Team 2019-07-12 13:07:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10137


Note You need to log in before you can comment on or make changes to this bug.