Red Hat CloudForms全局可读(world readable)权限productio

发布日期：2012-12-05
更新日期：2012-12-08

受影响系统：
RedHat CloudForms
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56819
CVE(CAN) ID: CVE-2012-3538

Red Hat CloudForms是本地混合云基础设施即服务（IaaS）产品，可创建和管理私有和公共云。

Red Hat CloudForms将pulp管理密码以明文方式保存在world readable权限的production.log文件中，导致本地攻击者可利用此漏洞控制CloudForms部署和管理的系统。

此问题已经在下列版本内解决：
CloudForms for RHEL 6
CloudForms Tools for RHEL 5

<*来源：James Laska
 
  链接：https://bugzilla.redhat.com/show_bug.cgi?id=852199
        https://access.redhat.com/security/cve/CVE-2012-3538
       
        https://www.redhat.com/support/errata/RHSA-2012-1543.html
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

James Laska （）提供了如下测试方法：

参考自https://bugzilla.redhat.com/show_bug.cgi?id=852199

a) 漏洞重现步骤

1. Install katello
2. Run katello-configure to prepare system
3. Import a valid manifest

------------------------------------------------

b) 问题描述

The production.log is world readable ...
> # ll /var/log/katello/production.log
> -rw-r--r--. 1 katello katello 38128 Aug 27 13:56 /var/log/katello/production.log

While importing a manifest, I noticed the pulp admin password is available in plaintext in the production.log ...

> [DEBUG: 2012-08-27 13:20:08 #28453] Processing response: 200
> [DEBUG: 2012-08-27 13:20:08 #28453] Resource GET request: /pulp/api/users/admin/
> [DEBUG: 2012-08-27 13:20:08 #28453] Processing response: 200
> [DEBUG: 2012-08-27 13:20:08 #28453] Resource POST request: /pulp/api/users/, {"name":"hidden-HkmUvo","login":"hidden-HkmUvo","password":"kRez49MC87ihOXCk"}
> [DEBUG: 2012-08-27 13:20:08 #28453] Processing response: 201
> [DEBUG: 2012-08-27 13:20:08 #28453] Resource POST request: /pulp/api/roles/super-users//add/, {"username":"hidden-HkmUvo"}
> [DEBUG: 2012-08-27 13:20:08 #28453] Processing response: 200
> [DEBUG: 2012-08-27 13:20:08 #28453] Resource GET request: /pulp/api/users/hidden-HkmUvo/
> [DEBUG: 2012-08-27 13:20:09 #28453] Processing response: 200
> [DEBUG: 2012-08-27 13:20:09 #28453] Creating an owner in candlepin: ACME_Corporation
> [DEBUG: 2012-08-27 13:20:09 #28453] Resource POST request: /candlepin/owners/, {"contentPrefix":"/ACME_Corporation/$env","displayName":"ACME_Corporation","key":"ACME_Corporation"}
> [DEBUG: 2012-08-27 13:20:09 #28453] Processing response: 200
> [ INFO: 2012-08-27 13:20:09 #28453] Creating an environment in candlepin: Library

------------------------------------------------

建议：
--------------------------------------------------------------------------------
厂商补丁：

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2012:1543-01）以及相应补丁:

RHSA-2012:1543-01：Important: CloudForms System Engine 1.1 update

链接：https://www.redhat.com/support/errata/RHSA-2012-1543.html