Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20221104161945.5thjnd6axcdo5fme@zion>
Date: Fri, 4 Nov 2022 17:19:45 +0100
From: Paolo Perego <pperego@...e.de>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities affecting UYUNI/SUSE Manager

Hello list, during a scheduled audit for the UYUNI / SUSE Manager project, three
security issues were found and tracked with a CVE identifier.

1. Issues

1.1 CVE-2022-31255: directory path traversal vulnerability in
    CobblerSnipperViewAction

When viewing cobbler autoinstallation snippet, it is possible to evade
from /var/lib/cobbler/snippet path using the "path" request parameter
and accessing files outside the webserver root directory.

On a default installation, tomcat is running as a non-privileged user
process, so the impact on the file system confidentiality is for files
viewable by tomcat user, for groups www, susemanager and tomcat and for
files viewable by anyone.

To exploit this vulnerability there is no need for a particular script
but an authenticated SUMA session is needed.

CVSS is 5.0: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H

To exploit this vulnerability you have just to pass the desired file
using the path parameter:

https://<SERVER>/rhn/kickstart/cobbler/CobblerSnippetView.do?path=%2Fvar%2Flib%2Fcobbler%2Fsnippets%2F../../../../etc/rhn/rhn.conf

1.2 CVE-2022-43753: arbitrary file disclosure vulnerability in
    ScapResultDownload

When downloading the openscap result for a given system, it is possible
to evade from the location where the report is created and access
arbitrary files.

On a default installation, tomcat is running as a non-privileged user
process, so the impact on the file system confidentiality is for files
viewable by tomcat user, for groups www, susemanager and tomcat and for
files viewable by anyone.

To exploit this vulnerability there is no need for a particular script
but an authenticated UYUNI/SUMA session is needed.

CVSS is 5.0: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H

PoC
https://server_ip/rhn/systems/details/audit/ScapResultDownload.do?sid=1000010000&xid=1&name=../../../../../../../etc/passwd

1.3 CVE-2022-43754: reflected cross site scripting in
    /rhn/audit/scap/Search.do

In the "Search XCCDF Rules For:" text field, the attacker can inject
malicious javascript code by using "/> as prefix and then the arbitrary
js (e.g. "/><script>alert(1)</script>.

The injected code is copied in the HTML without sanitization, in the
alert and messages portion of the page. The "/> sequence is needed to
trigger the error and then having the js code to be copied in the output
page.

Here it is the evil payload in the result page:

 <!-- Alerts and messages -->
    <div class="alert alert-warning">
      <ul>
        <li>Could not parse query '"/><script>alert(1)</script>'.</li>
      </ul>
    </div>

Please note that this attack is possible only on a successful POST
request on an authenticated session. This limits the severity of the
issue itself.

CVSS is 3.0: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

I marked confidentiality low because pxt-session-cookie and JSESSIONID
cookies are HttpOnly and secure. So even the exposure is limited.

2. Affected releases

The three vulnerabilities are present in the following releases:
* all SUSE Manager 4.2 versions before 4.2.10
* all SUSE Manager 4.3 versions before 4.3.2
* all UYUNI versions before Uyuni-2022.10

3. Timeline

3.1 CVE-2022-31255
2022-10-20: vulnerability was reported to upstream authors [1]
2022-10-20: upstream authors acknowledge it
2022-10-21: offered an embargo until 2022-11-04
2022-10-24: assigned a CVE
2022-11-04: fixes were released and embargo was lifted

3.2 CVE-2022-43753
2022-10-25: vulnerability was reported to upstream authors [2]
2022-10-26: upstream authors acknowledge it and a CVE is assigned
2022-10-26: offered an embargo until 2022-11-04
2022-11-04: fixes were released and embargo was lifted

3.3 CVE-2022-43754
2022-10-26: vulnerability was reported to upstream authors [3]
2022-10-26: upstream authors acknowledge it and a CVE is assigned
2022-10-26: offered an embargo until 2022-11-04
2022-11-04: fixes were released and embargo was lifted

4. Links
4.1 https://bugzilla.suse.com/show_bug.cgi?id=1204543
4.2 https://bugzilla.suse.com/show_bug.cgi?id=1204716
4.3 https://bugzilla.suse.com/show_bug.cgi?id=1204741
4.4 uyuni upstream merge commit: https://github.com/uyuni-project/uyuni/commit/d8fe770ebbad161de0b628f663de4e5bd1b8c204
4.5 https://www.suse.com/security/cve/CVE-2022-31255.html
4.6 https://www.suse.com/security/cve/CVE-2022-43754.html
4.7 https://www.suse.com/security/cve/CVE-2022-43753.html

Regards,
Paolo

--
(*_  Paolo Perego                           @thesp0nge
//\  Software security engineer               suse.com
V_/_ 0A1A 2003 9AE0 B09C 51A4 7ACD FC0D CEA6 0806 294B

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.