CVE-2018-14643
published 2018-09-21CVE-2018-14643: An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.01%
92.4th percentile
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists in smart_proxy_dynflow version 0.1.8 and later; detection should target this component on Foreman >= 1.15 / Satellite >= 6.3 deployments. ↗
- →The authentication bypass was introduced by a specific commit; patch presence/absence at this commit can be used to confirm vulnerable state. ↗
- →After patching, unauthenticated requests to the Dynflow endpoint are rejected with 'No client SSL certificate supplied'; absence of this error on an unpatched system indicates exploitability. ↗
- →Arbitrary command execution against managed hosts was confirmed exploitable on Satellite 6.3.3; monitor for unexpected remote execution jobs originating from unauthenticated sources against Foreman-managed hosts. ↗
- ·Mitigation: disable the Smart Proxy Dynflow component entirely by setting ':enabled:' to false in the configuration file at the specified path. ↗
- ·The Red Hat Satellite 6 package 'tfm-rubygem-smart_proxy_dynflow_core' is listed as Not Affected; scope detection efforts to the 'smart_proxy_dynflow' gem, not the core variant. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
osv·2018-10-08
CVE-2018-14643 [CRITICAL] smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
GHSA
smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
ghsa·2018-10-08
CVE-2018-14643 [CRITICAL] CWE-287 smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
Red Hat
smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
vendor_redhat·2018-09-20·CVSS 9.8
CVE-2018-14643 [CRITICAL] CWE-287 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
Mitigation: Disable Smart Proxy Dynflow by setting the :enabled: option to false in the /etc/foreman-proxy/settings.d/dynflow.yml file.
Package: tfm-rubygem-smart_proxy_dynflow_core (Red Hat Satellite 6)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-14643 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
bugzilla·2018-09-14·CVSS 9.8
CVE-2018-14643 [CRITICAL] CVE-2018-14643 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
CVE-2018-14643 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature
A vulnerability was discovered in the Foreman Remote Execution feature, allowing an unauthorized remote attacker to perform arbitrary code execution on managed hosts. The issue affects the component smart_proxy_dynflow 0.1.8 and later (Foreman >= 1.15, Satellite >= 6.3)
Introducing commit:
https://github.com/theforeman/smart_proxy_dynflow/commit/cb7b0b5c9b602f737ab4c6e9fb47c158241cf49c#diff-6dee70f4339cfc3dd8cedfc2a34f14c2
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1629003
Discussion:
Mitigation:
Disable Smart Proxy Dynflow by setting the :enabled: option to false in the /etc/foreman-proxy/settings.d/dynflow.yml file.
---
Acknowledgments:
Name: Ivan Necas (Red Hat)
---
Th
Bugzilla
CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature [rhn_satellite_6.3]
bugzilla·2018-09-14·CVSS 9.8
CVE-2018-14643 [CRITICAL] CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature [rhn_satellite_6.3]
CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature [rhn_satellite_6.3]
Verified.
I tested this against 6.3.3 and was able to run the arbitrary commands against the target host.
After installing the patch, further attempts were met with this error:
"No client SSL certificate supplied".
Discussion:
*** Bug 1630489 has been marked as a duplicate of this bug. ***
---
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2018:2733
---
Created redmine issue https:
http://www.securityfocus.com/bid/105375https://access.redhat.com/errata/RHSA-2018:2733https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14643https://github.com/theforeman/smart_proxy_dynflow/pull/54http://www.securityfocus.com/bid/105375https://access.redhat.com/errata/RHSA-2018:2733https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14643https://github.com/theforeman/smart_proxy_dynflow/pull/54
2018-09-21
Published