REDHAT-BUG-1202972
First published: Tue Mar 17 2015(Updated: )
Kurt Seifried of Red Hat reports: edeploy uses HTTP to download a large number of sensitive files which can lead to code execution: ./ansible/edeploy-install.yml: value=http://{{ ansible_default_ipv4["address"] }}/ ./build/base.install: echo "Acquire { Retries \"0\"; HTTP { Proxy \"<a href="http://${HTTP_PROXY">http://${HTTP_PROXY</a>}\"; }; };" >> "$target/etc/apt/apt.conf.d/01proxy" ./build/base.install: curl -o ${target}/tmp/tar.deb <a href="http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb">http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb</a> ./build/base.install: echo "deb <a href="http://security.ubuntu.com/ubuntu">http://security.ubuntu.com/ubuntu</a> $dist-security main universe multiverse" >> ${target}/etc/apt/sources.list ./build/base.install: echo "deb <a href="http://security.debian.org/">http://security.debian.org/</a> $dist/updates main" > ${target}/etc/apt/sources.list.d/updates.list ./build/base.install: wget -O - <a href="http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key">http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key</a> | do_chroot $target apt-key add - ./build/base.install: echo "deb <a href="http://hwraid.le-vert.net/debian">http://hwraid.le-vert.net/debian</a> ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget -O - <a href="http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key">http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key</a> | do_chroot $target apt-key add - ./build/base.install: echo "deb <a href="http://hwraid.le-vert.net/ubuntu">http://hwraid.le-vert.net/ubuntu</a> precise main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget -O - <a href="http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key">http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key</a> | do_chroot $target apt-key add - ./build/base.install: echo "deb <a href="http://hwraid.le-vert.net/ubuntu">http://hwraid.le-vert.net/ubuntu</a> ${dist} main" > $target/etc/apt/sources.list.d/hwraid.list ./build/base.install: wget --no-verbose <a href="http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name">http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name</a> -O $target/../../$package_name ./build/base.install: <a href="http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm">http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm</a> ./build/base.install: do_chroot $dir rpm --import <a href="http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub">http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub</a> ./build/base.install: do_chroot $dir rpm --import <a href="http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub">http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub</a> ./build/base.install:baseurl=<a href="http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current">http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current</a> ./build/common: wget --no-verbose <a href="http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX">http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX</a> ./build/health-check.install: PACKAGES="$PACKAGES numpy <a href="http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm">http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm</a>" ./build/health-check.install: PACKAGES="$PACKAGES python-psutil <a href="http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm">http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm</a> <a href="http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm">http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm</a>" ./build/health-check.install: PACKAGES="$PACKAGES <a href="http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm">http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm</a> <a href="http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm">http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm</a>" ./build/init: curl -s -S -o/configure -F section=${SECTION} -F file=@/hw.json <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py</a> & ./build/init: give_up "Curl exited as failed ($RET_CODE). Cannot get a configuration from <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py</a>'" ./build/init: log "Transferring files from <a href="http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy">http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy</a>..." ./build/init: curl -s -S <a href="http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy">http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy</a> | gzip -d | tar x --xattrs --selinux -C $d || give_up "Unable to download <a href="http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy">http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy</a>" ./build/init.common: curl <a href="http://169.254.169.254/2009-04-04/user-data">http://169.254.169.254/2009-04-04/user-data</a> -fso /user-data -m 5 --retry 10 --retry-delay 2 ./build/init.common: curl -s -S -o/log.stats -F section=${SECTION} -F file=@/${log_file} <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py</a> || : ./build/init.common: curl -s -S -F section=${SECTION} -F failure=$PROFILE -F file=@/hw.json <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py</a> ./build/init.health:curl -s -S $SESSION_CURL -F file=@/health.json <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py</a> & ./build/init.health: log "Curl exited as failed ($RET_CODE). Cannot get a configuration from <a href="http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py">http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py</a>'" ./build/pxe.install: PACKAGES="$PACKAGES <a href="http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm">http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm</a>" ./build/repositories: echo "<a href="http://http.debian.net/debian">http://http.debian.net/debian</a>" ./build/repositories: echo "<a href="http://archive.ubuntu.com/ubuntu">http://archive.ubuntu.com/ubuntu</a>" ./build/repositories: echo "<a href="http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm">http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm</a>" ./build/repositories: echo "<a href="http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm">http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm</a>" ./build/repositories: wget "<a href="http://dev.centos.org/centos/6/SCL/scl.repo">http://dev.centos.org/centos/6/SCL/scl.repo</a>" -O $dir/etc/yum.repos.d/scl.repo Binary file ./build/sources/lshw matches ./server/edeploy.conf:PXEMNGRURL=<a href="http://192.168.122.1:8000/">http://192.168.122.1:8000/</a> ./server/upload-health.py:$ curl -i -F name=test -F file=@/tmp/hw.lst <a href="http://localhost/cgi-bin/upload.py">http://localhost/cgi-bin/upload.py</a> ./server/upload.py:$ curl -i -F name=test -F file=@/tmp/hw.lst <a href="http://localhost/cgi-bin/upload.py">http://localhost/cgi-bin/upload.py</a> ./setup.cfg:home-page = <a href="http://www.enovance.com/">http://www.enovance.com/</a> ./src/sample_dmesg: Command line: BOOT_IMAGE=vmlinuz initrd=<a href="http://10.101.14.14/health.pxe">http://10.101.14.14/health.pxe</a> DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort| ./src/sample_dmesg: Kernel command line: BOOT_IMAGE=vmlinuz initrd=<a href="http://10.101.14.14/health.pxe">http://10.101.14.14/health.pxe</a> DEBUG=1 SERV=10.101.14.14 HSERV=10.101.14.14 UPLOAD_LOG=1 IP=all:dhcp SESSION=smoke NONETWORKTEST=1 ONSUCCESS=console ONFAILURE=console |pci=bfsort|
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat eDeploy |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://${HTTP_PROXY
- http://ftp.debian.org/debian/pool/main/t/tar/tar_1.27.1-1~bpo70+1_${ARCH:=amd64}.deb
- http://security.ubuntu.com/ubuntu
- http://security.debian.org/
- http://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key
- http://hwraid.le-vert.net/debian
- http://hwraid.le-vert.net/ubuntu/hwraid.le-vert.net.gpg.key
- http://hwraid.le-vert.net/ubuntu
- http://downloads.linux.hp.com/SDR/downloads/MCP/pool/non-free/$package_name
- http://downloads.linux.hp.com/SDR/downloads/ServicePackforProLiant/2013.02.0/hp/swpackages/hpacucli-9.40-12.0.x86_64.rpm
- http://downloads.linux.hp.com/SDR/hpPublicKey1024.pub
- http://downloads.linux.hp.com/SDR/hpPublicKey2048.pub
- http://downloads.linux.hp.com/repo/spp/rhel/$CODENAME_MAJOR.$CODENAME_MINOR/x86_64/current
- http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmlx4/$LIBMLX
- http://pkgs.repoforge.org/netperf/netperf-2.6.0-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/fio/fio-2.1.7-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/lshw/lshw-2.17-1.el6.rf.x86_64.rpm
- http://pkgs.repoforge.org/fio/fio-2.1.7-1.el7.rf.x86_64.rpm
- http://pkgs.repoforge.org/lshw/lshw-2.17-1.el7.rf.x86_64.rpm
- http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload.py
- http://${HSERV}:${HSERV_PORT}/${HPATH}/${VERS}/${ROLE}-${VERS}.edeploy
- http://169.254.169.254/2009-04-04/user-data
- http://${SERV}:${HTTP_PORT}/${HTTP_PATH}/upload-health.py
- http://http.debian.net/debian
- http://archive.ubuntu.com/ubuntu
- http://mirror.centos.org/centos/6.5/os/x86_64/Packages/centos-release-6-5.el6.centos.11.1.x86_64.rpm
- http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-0.1406.el7.centos.2.3.x86_64.rpm
- http://dev.centos.org/centos/6/SCL/scl.repo
- http://192.168.122.1:8000/
- http://localhost/cgi-bin/upload.py
- http://www.enovance.com/
- http://10.101.14.14/health.pxe
- https://github.com/enovance/edeploy/issues/230
- https://bugzilla.redhat.com/show_bug.cgi?id=1202972
Frequently Asked Questions
What is the severity of REDHAT-BUG-1202972?
The severity of REDHAT-BUG-1202972 is high due to the potential for code execution through the exploitation of insecure HTTP downloads.
How do I fix REDHAT-BUG-1202972?
To fix REDHAT-BUG-1202972, configure edeploy to use secure HTTPS protocols for downloading files instead of HTTP.
Which versions of Red Hat eDeploy are affected by REDHAT-BUG-1202972?
All versions of Red Hat eDeploy that enable HTTP downloads are potentially affected by REDHAT-BUG-1202972.
Can REDHAT-BUG-1202972 lead to data leakage?
Yes, REDHAT-BUG-1202972 can lead to data leakage because sensitive files are downloaded insecurely via HTTP.
What type of attack can REDHAT-BUG-1202972 facilitate?
REDHAT-BUG-1202972 can facilitate man-in-the-middle attacks allowing unauthorized code execution.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8174
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat edeploy