Headline
CVE-2021-20290: Clients can perform reserved actions on Foreman Server through OpenSCAP plugin for smart-proxy
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
Description Yadnyawalk Tale 2021-03-16 20:50:13 UTC
On Foreman, OpenSCAP plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server. OpenSCAP plugin and a Client system that has Puppet installed with certs signed by Puppet CA or a Foreman with a client system that has a consumer certificate from the Katello CA; attacker can use this Client’s certs to access the OpenSCAP API and perform actions which are only reserved for a Foreman server.
Comment 1 Yadnyawalk Tale 2021-03-16 20:50:21 UTC
Acknowledgments:
Name: Evgeni Golov (Red Hat) Upstream: Foreman project
Comment 2 Yadnyawalk Tale 2021-03-16 20:50:24 UTC
Mitigation:
To mitigate the flaw, disable smart_proxy_openscap plugin from the Server. You can do that either by editing `/etc/foreman-proxy/settings.d/openscap.yml` and restarting `systemctl restart foreman-proxy.service`, or by running `foreman-installer --no-enable-foreman-proxy-plugin-openscap` command.
Comment 6 Yadnyawalk Tale 2021-03-18 19:36:15 UTC
Statement:
Red Hat Satellite 6 ship smart_proxy_openscap plugin which is affected by the flaw. The highest threat from this vulnerability is to integrity and system availability.