[Security] Mitigation for smart proxy SSL verification issue

We're currently working on a security issue in the smart proxy's SSL
support, which means SSL connections that don't present a client SSL
certificate can make any request to the smart proxy. A CVE identifier
isn't yet assigned.

Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests - Smart Proxy - Foreman

The severity of this is high, as the smart proxy may control various
network resources (DNS, DHCP, Puppet CA etc.)

Until we publish fixed packages, we would strongly recommend mitigating
the effect of this with one or more of the following methods:

  1. Specify trusted_hosts in /etc/foreman-proxy/settings.yml


This will rely on reverse DNS of the hosts making requests and will be
default behaviour in Foreman 1.7.

Using "foreman-installer --foreman-proxy-trusted-hosts=$(hostname -f)"
will configure this too.

  1. Firewall access to port 8443 (default) on the smart proxy

e.g. for Linux and iptables:

if on the same host

iptables -A INPUT -i lo -m tcp -p tcp --dport 8443 -j ACCEPT

if remote

iptables -A INPUT -s foreman.example.com -m tcp -p tcp --dport 8443 -j

drop everything else

iptables -A INPUT -m tcp -p tcp --dport 8443 -j DROP

  1. Apply work-in-progress patch to smart proxy

(cd /usr/share/foreman-proxy && curl
https://github.com/theforeman/smart-proxy/pull/217.patch | patch -p1)

This patch will be released for Foreman 1.6.2, and probably as 1.5.4
after more testing.

Lastly, but definitely not least, our thanks to Michael Moll, Jon
McKenzie and Michael Messmore for their reports to the project.

A reminder: if you suspect or are aware of a security issue in Foreman,
please contact foreman-security@googlegroups.com or see
Foreman :: Security for more information.

ยทยทยท -- Dominic Cleal Red Hat Engineering