CVE-2013-2143
published 2014-04-17CVE-2013-2143: The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote…
PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
48.22%
98.7th percentile
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | katello | <= 1.5.0-14 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or low-privilege PUT requests to the update_roles endpoint; any PUT to /users/<id>/update_roles from a non-admin session is anomalous and indicative of privilege escalation exploitation. ↗
- →Monitor for HTTP PUT requests containing the POST body parameter 'user[role_ids][]=1', which sets the target account to administrator (role ID 1). ↗
- →Look for the X-CSRF-Token header being supplied alongside a _katello_session cookie in PUT requests to /users/*/update_roles — this is the exact pattern used by the Metasploit exploit module. ↗
- →Alert on successful HTTP responses (X-Message-Type: success) to PUT /users/*/update_roles from non-administrative accounts, indicating a successful privilege escalation. ↗
- →Inspect Katello/Satellite application logs for calls to the update_roles action in users_controller.rb originating from non-admin users. ↗
- ·The vulnerability only affects Katello 1.5.0-14 and earlier; Red Hat Satellite 6 (katello package) is listed as Not Affected, so detection efforts should be scoped to legacy Satellite/Subscription Asset Manager deployments. ↗
- ·The Metasploit module defaults to SSL on port 443; detections based on port alone may miss deployments running on non-standard ports. ↗
- ·The exploit requires valid credentials for any existing user account (remote authenticated users); purely unauthenticated traffic detection will not catch this attack. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rhwm-66gm-6j9v: The users controller in Katello 1
ghsa_unreviewed·2022-05-13
CVE-2013-2143 [MEDIUM] CWE-20 GHSA-rhwm-66gm-6j9v: The users controller in Katello 1
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
Red Hat
Katello: /app/controllers/users_controller.rb insufficient privilege check
vendor_redhat·2014-03-24·CVSS 6.5
CVE-2013-2143 [MEDIUM] CWE-862 Katello: /app/controllers/users_controller.rb insufficient privilege check
Katello: /app/controllers/users_controller.rb insufficient privilege check
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.
Package: katello (Red Hat Satellite 6) - Not affected
Package: katello (Red Hat Subscription Asset Manager) - Will not fix
No detection rules found.
Exploit-DB
Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)
exploitdb·2014-03-26
CVE-2013-2143 Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)
Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',
'Description' => %q{
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat Satellite
(Katello 1.5.0-14 and earlier) by changing the specified account to an
administrator account.
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2143'],
['CWE', '862']
],
'DisclosureDate' => 'Mar 24 2014'
)
register_options(
[
Opt::RPORT(443),
OptBool.new('
Metasploit
Katello (Red Hat Satellite) users/update_roles Missing Authorization
metasploit
Katello (Red Hat Satellite) users/update_roles Missing Authorization
Katello (Red Hat Satellite) users/update_roles Missing Authorization
This module exploits a missing authorization vulnerability in the "update_roles" action of "users" controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account.
http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.htmlhttp://www.exploit-db.com/exploits/32515http://www.osvdb.org/104981http://www.securityfocus.com/bid/66434http://packetstormsecurity.com/files/125866/Katello-Red-Hat-Satellite-users-update_roles-Missing-Authorization.htmlhttp://www.exploit-db.com/exploits/32515http://www.osvdb.org/104981http://www.securityfocus.com/bid/66434
2014-04-17
Published