1943630 – (CVE-2021-3469) CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman

Bug 1943630 (CVE-2021-3469) - CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman

Summary: CVE-2021-3469 Foreman: Impersonation vulnerability in Foreman

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3469
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1941406 1943633
TreeView+	depends on / blocked

Reported:	2021-03-26 16:53 UTC by Yadnyawalk Tale
Modified:	2021-12-14 18:47 UTC (History)
CC List:	12 users (show)
Fixed In Version:	foreman 2.3.4, foreman 2.4.0
Doc Type:	---
Doc Text:	Foreman is affected by an improper authorization handling flaw. An authenticated attacker can impersonate the foreman-proxy if product enable the Puppet Certificate authority (CA) to sign certificate requests that have subject alternative names (SANs). Foreman do not enable SANs by default and `allow-authorization-extensions` is set to `false` unless user change `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration explicitly.
Clone Of:
Environment:
Last Closed:	2021-03-26 17:35:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Yadnyawalk Tale 2021-03-26 16:53:44 UTC

The SmartProxyAuth of the Foreman allows controllers to authenticate certain requests based on the client certificate. As Puppet CA will consider subject alternative names (SANs) from a certificate along with Common name (CN); Puppet CA will sign the certificate with SANs pointing at DNS names of the already existing certificate. An attacker can obtain a new certificate by crafting Certificate Signing Request (CSR) made up with CN & SSNs and can able to impersonation foreman-proxy to accept the request.

Comment 1 Yadnyawalk Tale 2021-03-26 16:53:51 UTC

Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project

Comment 2 Yadnyawalk Tale 2021-03-26 16:53:54 UTC

Statement:

Red Hat Satellite is not affected by the flaw as the product required the Puppet CA as the primary trusted CA which does not allow to sign certificate requests that have subject alternative names by default.

Comment 3 Yadnyawalk Tale 2021-03-26 16:53:58 UTC

Mitigation:

To mitigate the flaw, users are advised to set `allow-authorization-extensions` to the `false` in `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration file.

Comment 5 Product Security DevOps Team 2021-03-26 17:35:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3469

Note You need to log in before you can comment on or make changes to this bug.