We're currently working on a security issue in the smart proxy's SSL
support, which means SSL connections that don't present a client SSL
certificate can make any request to the smart proxy. A CVE identifier
isn't yet assigned.
The severity of this is high, as the smart proxy may control various
network resources (DNS, DHCP, Puppet CA etc.)
Until we publish fixed packages, we would strongly recommend mitigating
the effect of this with one or more of the following methods:
- Specify trusted_hosts in /etc/foreman-proxy/settings.yml
:trusted_hosts:
This will rely on reverse DNS of the hosts making requests and will be
default behaviour in Foreman 1.7.
Using "foreman-installer --foreman-proxy-trusted-hosts=$(hostname -f)"
will configure this too.
- Firewall access to port 8443 (default) on the smart proxy
e.g. for Linux and iptables:
if on the same host
iptables -A INPUT -i lo -m tcp -p tcp --dport 8443 -j ACCEPT
if remote
iptables -A INPUT -s foreman.example.com -m tcp -p tcp --dport 8443 -j
ACCEPT
drop everything else
iptables -A INPUT -m tcp -p tcp --dport 8443 -j DROP
- Apply work-in-progress patch to smart proxy
(cd /usr/share/foreman-proxy && curl
https://github.com/theforeman/smart-proxy/pull/217.patch | patch -p1)
This patch will be released for Foreman 1.6.2, and probably as 1.5.4
after more testing.
Lastly, but definitely not least, our thanks to Michael Moll, Jon
McKenzie and Michael Messmore for their reports to the project.
A reminder: if you suspect or are aware of a security issue in Foreman,
please contact foreman-security@googlegroups.com or see
Foreman :: Security for more information.