Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <b97faf58-26d9-61ef-2a27-0d54a15d2e64@suse.com>
Date: Tue, 21 Jun 2022 11:47:29 +0200
From: Paolo Perego <paolo.perego@...e.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting Uyuni / SUSE Manager

Hello list,
     last May during a scheduled audit for the Uyuni project, two 
security issues were found and tracked with a CVE identifier.

1. Issues
1.1) CVE-2022-21952: unauthenticated remote DoS via resource exhaustion

The endpoint /rhn/manager/frontend-log (implemented in [4]) takes an 
arbitrary string of text as a POST parameter and then it writes on
/var/log/rhn/rhn_web_frontend.log file.

The input is in the form of {'level':'error', 'message':'Message'}. An 
attacker can control both the severity level of the log message and the 
text.

Since this endpoint is not restricted to authenticated users, there is 
no throttling mechanism and it doesn't sanitize incoming input so it is 
possible for an unauthenticated user to write arbitrary contents in the 
log file.

e.g:
2022-05-13 10:24:04,855 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] ERROR
     com.suse.manager.webui.controllers.FrontendLogController - 
[no-logged-user -
     python-requests/2.27.1] - <?php phpinfo(); ?>
2022-05-13 10:24:43,911 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-4] ERROR
     com.suse.manager.webui.controllers.FrontendLogController - 
[no-logged-user -
     python-requests/2.27.1] - <script>alert();</script>
2022-05-13 10:24:51,944 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] ERROR
     com.suse.manager.webui.controllers.FrontendLogController - 
[no-logged-user -
     python-requests/2.27.1] - <script>alert(document.cookies);</script>
2022-05-13 10:25:03,741 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-2] ERROR
     com.suse.manager.webui.controllers.FrontendLogController - 
[no-logged-user -
     python-requests/2.27.1] - <script>alert('d');</script>

Since there is no direct utilization of that file content in the web UI, 
a log poisoning attack is not possible. However, since there is no 
logrotate policy for that file, is it possible to exhaust available disk 
space by injecting big portions of text.

The log file is consumed in this file [5] where a copy operation is 
performed.

```  cp -fapd  /var/log/rhn/*.log* $DIR/rhn-logs/rhn ```

Assigned CVSS score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

1.2) CVE-2022-31248: SUMA user enumeration via weak error message

The /rhn/help/ForgotCredentials.do offer two different ways to retrieve
login information in case a user forgot his/her password.

The first way is asking for a password reset with your login handle and 
the email address.

The second way it can be used when the user can't remember the login 
handle, so he submits the email address and then the password recovery 
workflow starts.

Unfortunately, the web application uses a too detailed error message. It 
is possible to enumerate registered emails simply by submitting to the 
page and
looking at the response status code.

It has been found that this service is available also using a plain GET 
HTTP request and that it answers 302, redirecting to the homepage in 
case of a valid email address and it returns 200, with an error message 
in case of a not present email address.

This makes the exploit code much easier to write.

Assigned CVSS score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

2. Affected releases

The two issues affect:
     + Uyuni < 2022.06
     + SUSE Manager 4.1 < 4.1.15
     + SUSE Manager 4.2 < 4.2.7

SUSE Manager 4.1.15, 4.2.7 and 4.3.0 are not affected and also Uyuni 
2022.06.
Uyuni was fixed by the commit [3].

3. Timeline

3.1) CVE-2022-21952
2022-05-13: vulnerability was reported to upstream authors [1]
2022-05-13: upstream authors acknowledge it
2022-05-16: assigned a CVE and offered an embargo until 2022-06-20
2022-06-20: fixes were released and embargo was lifted

3.2) CVE-2022-31248
2022-05-17: vulnerability was reported to upstream authors [2]
2022-05-17: upstream authors acknowledge it
2022-05-27: assigned a CVE and offered an embargo until 2022-06-20
2022-06-20: fixes were released and embargo was lifted

For both 2022-06-21 disclosed to the world

4. Links:

[1] https://bugzilla.suse.com/show_bug.cgi?id=1199512
[2] https://bugzilla.suse.com/show_bug.cgi?id=1199629
[3] 
https://github.com/uyuni-project/uyuni/commit/18ba68a0f3de2c6ab77c7b9dc46f45615aacf9e1
[4] 
https://github.com/uyuni-project/uyuni/blob/master/java/code/src/com/suse/manager/webui/controllers/FrontendLogController.java
[5] 
https://github.com/uyuni-project/uyuni/blob/master/python/spacewalk/satellite_tools/spacewalk-debug#L198

-- 
(*_  Paolo Perego                           @thesp0nge
//\  Software security engineer               suse.com
V_/_ 0A1A 2003 9AE0 B09C 51A4 7ACD FC0D CEA6 0806 294B

Download attachment "OpenPGP_0xFC0DCEA60806294B.asc" of type "application/pgp-keys" (5642 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.