oss-sec mailing list archives
Multiple vulnerabilities affecting Uyuni / SUSE Manager
From: Paolo Perego <paolo.perego () suse com>
Date: Tue, 21 Jun 2022 11:47:29 +0200
Hello list,last May during a scheduled audit for the Uyuni project, two security issues were found and tracked with a CVE identifier.
1. Issues 1.1) CVE-2022-21952: unauthenticated remote DoS via resource exhaustionThe endpoint /rhn/manager/frontend-log (implemented in [4]) takes an arbitrary string of text as a POST parameter and then it writes on
/var/log/rhn/rhn_web_frontend.log file.The input is in the form of {'level':'error', 'message':'Message'}. An attacker can control both the severity level of the log message and the text.
Since this endpoint is not restricted to authenticated users, there is no throttling mechanism and it doesn't sanitize incoming input so it is possible for an unauthenticated user to write arbitrary contents in the log file.
e.g: 2022-05-13 10:24:04,855 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] ERRORcom.suse.manager.webui.controllers.FrontendLogController - [no-logged-user -
python-requests/2.27.1] - <?php phpinfo(); ?> 2022-05-13 10:24:43,911 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-4] ERRORcom.suse.manager.webui.controllers.FrontendLogController - [no-logged-user -
python-requests/2.27.1] - <script>alert();</script> 2022-05-13 10:24:51,944 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] ERRORcom.suse.manager.webui.controllers.FrontendLogController - [no-logged-user -
python-requests/2.27.1] - <script>alert(document.cookies);</script> 2022-05-13 10:25:03,741 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERRORcom.suse.manager.webui.controllers.FrontendLogController - [no-logged-user -
python-requests/2.27.1] - <script>alert('d');</script>Since there is no direct utilization of that file content in the web UI, a log poisoning attack is not possible. However, since there is no logrotate policy for that file, is it possible to exhaust available disk space by injecting big portions of text.
The log file is consumed in this file [5] where a copy operation is performed.
``` cp -fapd /var/log/rhn/*.log* $DIR/rhn-logs/rhn ``` Assigned CVSS score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 1.2) CVE-2022-31248: SUMA user enumeration via weak error message The /rhn/help/ForgotCredentials.do offer two different ways to retrieve login information in case a user forgot his/her password.The first way is asking for a password reset with your login handle and the email address.
The second way it can be used when the user can't remember the login handle, so he submits the email address and then the password recovery workflow starts.
Unfortunately, the web application uses a too detailed error message. It is possible to enumerate registered emails simply by submitting to the page and
looking at the response status code.It has been found that this service is available also using a plain GET HTTP request and that it answers 302, redirecting to the homepage in case of a valid email address and it returns 200, with an error message in case of a not present email address.
This makes the exploit code much easier to write. Assigned CVSS score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 2. Affected releases The two issues affect: + Uyuni < 2022.06 + SUSE Manager 4.1 < 4.1.15 + SUSE Manager 4.2 < 4.2.7SUSE Manager 4.1.15, 4.2.7 and 4.3.0 are not affected and also Uyuni 2022.06.
Uyuni was fixed by the commit [3]. 3. Timeline 3.1) CVE-2022-21952 2022-05-13: vulnerability was reported to upstream authors [1] 2022-05-13: upstream authors acknowledge it 2022-05-16: assigned a CVE and offered an embargo until 2022-06-20 2022-06-20: fixes were released and embargo was lifted 3.2) CVE-2022-31248 2022-05-17: vulnerability was reported to upstream authors [2] 2022-05-17: upstream authors acknowledge it 2022-05-27: assigned a CVE and offered an embargo until 2022-06-20 2022-06-20: fixes were released and embargo was lifted For both 2022-06-21 disclosed to the world 4. Links: [1] https://bugzilla.suse.com/show_bug.cgi?id=1199512 [2] https://bugzilla.suse.com/show_bug.cgi?id=1199629[3] https://github.com/uyuni-project/uyuni/commit/18ba68a0f3de2c6ab77c7b9dc46f45615aacf9e1 [4] https://github.com/uyuni-project/uyuni/blob/master/java/code/src/com/suse/manager/webui/controllers/FrontendLogController.java [5] https://github.com/uyuni-project/uyuni/blob/master/python/spacewalk/satellite_tools/spacewalk-debug#L198
-- (*_ Paolo Perego @thesp0nge //\ Software security engineer suse.com V_/_ 0A1A 2003 9AE0 B09C 51A4 7ACD FC0D CEA6 0806 294B
Attachment:
OpenPGP_0xFC0DCEA60806294B.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Current thread:
- Multiple vulnerabilities affecting Uyuni / SUSE Manager Paolo Perego (Jun 21)