Bug 1210086

Summary: VUL-1: SUMA: disclosing session swap key when debug is enabled
Product: [Novell Products] SUSE Security Incidents Reporter: Paolo Perego <paolo.perego>
Component: IncidentsAssignee: Cédric Bosdonnat <cbosdonnat>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: gianluca.gabrielli, jgonzalez, kwalter, logu.rangasamy, marina.latini, parlt
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1209434    

Description Paolo Perego 2023-04-04 09:51:23 UTC 
rhnHmacData() routine, contained in class src/com/redhat/rhn/common/security/SessionSwap.java, discloses the following information when debug is enabled:
* the strings that will be hashed
* the hashing key (contained in ConfigDefaults.WEB_SESSION_SWAP_SECRET_[1-4])

The rhnMacData routine, is used in DownloadManager.java class, from spacewalk-java archive, to create a SHA1 token for a file, given some properties.

If the debug is enabled, the strings that will be disclosed are:
* expire time for the download url
* user id
* file id
* filename
* type of download (package, iso, ...)

Please note that debug must be explicitly enabled on the server. This will limit attack perimeter.

This is an instance of CVE-2023-22644 (bsc#1209434)
Comment 11 Paolo Perego 2023-06-21 12:47:15 UTC 
Fixed.
Comment 12 Cédric Bosdonnat 2023-06-21 22:39:04 UTC 
Master PR: https://github.com/uyuni-project/uyuni/pull/7176
Comment 13 Cédric Bosdonnat 2023-06-21 22:56:13 UTC 
(In reply to Cédric Bosdonnat from comment #12)
> Master PR: https://github.com/uyuni-project/uyuni/pull/7176

Confusion, the PR for this bug is https://github.com/uyuni-project/uyuni/pull/7179
Comment 15 Maintenance Automation 2024-02-27 11:26:18 UTC 
SUSE-RU-2023:2566-1: An update that solves one vulnerability, contains one feature and has 58 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1201063, 1203599, 1204089, 1204270, 1204900, 1205600, 1206060, 1206191, 1206423, 1206725, 1206783, 1207063, 1207595, 1207814, 1207829, 1207830, 1208288, 1208321, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208661, 1208687, 1208719, 1208772, 1208965, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209277, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-666
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): susemanager-build-keys-15.4.9-150400.3.20.2, spacecmd-4.3.21-150400.3.18.5, mgr-daemon-4.3.7-150400.3.9.5, spacewalk-web-4.3.31-150400.3.21.7, spacewalk-proxy-4.3.16-150400.3.20.6, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-proxy-installer-4.3.11-150400.3.6.4, uyuni-common-libs-4.3.8-150400.3.12.5
SUSE Manager Server 4.3 Module 4.3 (src): susemanager-4.3.27-150400.3.26.5, spacewalk-setup-4.3.16-150400.3.21.6, python-urlgrabber-4.1.0-150400.4.3.6.3, spacewalk-search-4.3.9-150400.3.12.7, virtual-host-gatherer-1.0.26-150400.3.12.3, perl-Satcon-4.3.2-150400.3.3.5, spacewalk-admin-4.3.11-150400.3.6.6, branch-network-formula-0.1.1680167239.23f2fec-150400.3.3.3, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-java-4.3.58-150400.3.46.4, supportutils-plugin-susemanager-4.3.7-150400.3.9.6, spacewalk-config-4.3.10-150400.3.6.3, susemanager-sls-4.3.33-150400.3.25.7, spacecmd-4.3.21-150400.3.18.5, hub-xmlrpc-api-0.7-150400.5.6.5, susemanager-docs_en-4.3-150400.9.27.3, susemanager-tftpsync-4.3.4-150400.3.9.9, cpu-mitigations-formula-0.5.0-150400.3.3.3, susemanager-schema-4.3.18-150400.3.18.7, susemanager-build-keys-15.4.9-150400.3.20.2, spacewalk-web-4.3.31-150400.3.21.7, cobbler-3.3.3-150400.5.25.3, uyuni-common-libs-4.3.8-150400.3.12.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-02-27 11:33:13 UTC 
SUSE-RU-2023:2592-1: An update that solves two vulnerabilities, contains one feature and has 90 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1201059, 1201063, 1203599, 1204089, 1204186, 1204270, 1204900, 1205011, 1205088, 1205600, 1205759, 1206060, 1206146, 1206191, 1206423, 1206520, 1206562, 1206725, 1206783, 1206800, 1206817, 1206861, 1206932, 1206963, 1206973, 1206979, 1206981, 1207063, 1207087, 1207141, 1207297, 1207352, 1207595, 1207792, 1207799, 1207814, 1207829, 1207830, 1207838, 1207867, 1207883, 1208046, 1208119, 1208288, 1208321, 1208325, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208611, 1208661, 1208687, 1208719, 1208772, 1208908, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209259, 1209277, 1209369, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212096, 1212363, 1212516
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-666
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4, release-notes-susemanager-4.3.6-150400.3.63.2
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.6-150400.3.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-02-27 11:38:09 UTC 
SUSE-RU-2023:2595-1: An update that solves one vulnerability, contains one feature and has 36 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1211956, 1211958, 1212096, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Proxy 4.2 Module 4.2 (src): spacewalk-backend-4.2.28-150300.4.41.4, spacecmd-4.2.23-150300.4.39.4, spacewalk-web-4.2.35-150300.3.44.4, spacewalk-ssl-cert-check-4.2.3-150300.3.3.2, susemanager-build-keys-15.3.9-150300.3.14.1, spacewalk-proxy-installer-4.2.12-150300.3.17.2, spacewalk-certs-tools-4.2.20-150300.3.30.4
SUSE Manager Server 4.2 Module 4.2 (src): inter-server-sync-0.2.8-150300.8.31.2, spacewalk-java-4.2.50-150300.3.66.5, hub-xmlrpc-api-0.7-150300.3.12.3, susemanager-schema-4.2.28-150300.3.38.4, cpu-mitigations-formula-0.5.0-150300.3.6.2, spacecmd-4.2.23-150300.4.39.4, susemanager-docs_en-4.2-150300.12.45.2, susemanager-4.2.42-150300.3.54.4, perl-Satcon-4.2.3-150300.3.3.3, susemanager-doc-indexes-4.2-150300.12.45.4, susemanager-build-keys-15.3.9-150300.3.14.1, branch-network-formula-0.1.1680167239.23f2fec-150300.3.6.2, spacewalk-backend-4.2.28-150300.4.41.4, spacewalk-certs-tools-4.2.20-150300.3.30.4, spacewalk-utils-4.2.19-150300.3.24.2, susemanager-sls-4.2.34-150300.3.51.1, spacewalk-web-4.2.35-150300.3.44.4, virtual-host-gatherer-1.0.26-150300.3.15.2, spacewalk-setup-4.2.12-150300.3.18.3, supportutils-plugin-susemanager-4.2.7-150300.3.15.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-02-27 12:00:07 UTC 
SUSE-SU-2023:2594-1: An update that solves two vulnerabilities, contains one feature and has 35 security fixes can now be installed.

Category: security (important)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208046, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1212096, 1212363, 1212517
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Retail Branch Server 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Server 4.2 (src): release-notes-susemanager-4.2.13-150300.3.81.1
openSUSE Leap 15.3 (src): release-notes-susemanager-4.2.13-150300.3.81.1, release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Proxy 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.