CVE-2017-2672

Vulnerability

A flaw exists in Foreman versions prior to 1.15 (the issue was fixed in Satellite 6.3 [1]) where the password used for provisioning images (e.g., OpenStack images) is recorded in plaintext in the audit log when an image is added or registered [3]. This occurs because the password field is not filtered from the log entry, exposing the credential to anyone with access to the audit log [3].

Exploitation

An attacker needs read access to the Foreman audit log. No special network position or authentication to the compute resource is required directly; the attacker must simply have credentials to view Foreman logs (e.g., a Foreman user with appropriate permissions). The audit log can be viewed through the Foreman web UI or directly on the filesystem. The attacker can then locate log entries related to image registration and extract the plaintext password [3].

Impact

Successful exploitation allows the attacker to obtain the plaintext password for provisioned systems (e.g., newly created virtual machines using the registered image). With this password, the attacker can authenticate to those systems and achieve unauthorized access, potentially leading to information disclosure, data tampering, or further compromise [1][3].

Mitigation

Red Hat Satellite users should apply the update available via RHSA-2018:0336 (Satellite 6.3) [1]. Foreman users should upgrade to version 1.15 or later. There is no workaround for the audit log password leak; users concerned about exposure should restrict access to the audit log until the upgrade is applied. The issue has been fixed; no KEV listing exists.