The SmartProxyAuth of the Foreman allows controllers to authenticate certain requests based on the client certificate. As Puppet CA will consider subject alternative names (SANs) from a certificate along with Common name (CN); Puppet CA will sign the certificate with SANs pointing at DNS names of the already existing certificate. An attacker can obtain a new certificate by crafting Certificate Signing Request (CSR) made up with CN & SSNs and can able to impersonation foreman-proxy to accept the request.
Acknowledgments: Name: Evgeni Golov (Red Hat) Upstream: Foreman project
Statement: Red Hat Satellite is not affected by the flaw as the product required the Puppet CA as the primary trusted CA which does not allow to sign certificate requests that have subject alternative names by default.
Mitigation: To mitigate the flaw, users are advised to set `allow-authorization-extensions` to the `false` in `/etc/puppetlabs/puppetserver/conf.d/ca.conf` configuration file.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3469