We need to check that the secret token is not predictable on
installations.

More on the background:

http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/

osci less SUSE:SLE-11-SP2:Update:Test   webyast-base rcwebyast

has:

  #generate deployment specific secret key (bnc#591345)
  SECRET=`cd /srv/www/webyast/ && rake -s secret`

and also:
  sed -i 's/a25bdf1cfcaea649ced4549e9d2b2b6ad4cf077badc774ca034a7ba57ae17f6e1185ed07bcc4ac20fb2d062d2afa975024fca03ede7b4c5002ca68386caa27a0/'"$SECRET"/ /srv/www/webyast/config/initializers/secret_token.rb

Unfortunally, the file that contains the token is
world readable:

krahmer@aal:~> ls -la /srv/www/yast/config/initializers/session_store.rb
-rw-r--r-- 1 root root 824 Nov  7 14:09 /srv/www/yast/config/initializers/session_store.rb

So that local users can obtain this and execute code
as webyast user on the local machine, which should be as good
as a local root exploit.

This vulnerability was reported by joernchen of Phenoelit.

In the update announce message, it would be good to thank and credit
him for reporting this to us. (SWAMP description text).

so given that the keys and tokens are regenerated on starting, this is just a local problem due to those files being world readable

nethertheless, as webyast is basically having root rights, this is a local privilege escalation.

I have assigned from our CVE Pool CVE-2013-3709:

Due to the secret tokens being worldreadable several webyast components could be leveraged by attackers on the local machine to gain root privileges.

packages affected (at least):

webyast-base-ui
webyast-base-ws

(if you remember other components of ATK 1.3 doing this kind of secrets, please check them too.)

last packages were ATK 1.2

in ATK 1.3 it seems to be in: 

webyast-base

The SWAMPID for this issue is 55210.
This issue was rated as important.
Please submit fixed packages until 2013-11-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

I'm preparing an update for ATK-1.3, openSUSE 13.1, 12.3 and 12.2.

I'd like also to fix ATK-1.2 version (although officially out of support) as the webyast SP2 repositories are still available via NCC and someone could install obsoleted version with a security problem.

Status update: I'm still working on the fix, I found some problems in my patches, (hopefully fixed, need some testing).

The current (may not be final yet) patches can be found in https://build.suse.de/package/show/home:lslezak:branches:SUSE:SLE-11-SP2:Update:Products:Test/webyast-base and https://build.suse.de/package/show/home:lslezak:branches:SUSE:SLE-11-SP1:Update:ATK:1.2:Update:Test/webyast-base-ui

atk 1.2 is not maintained anymore, no need to fix I think

Yes, ATK-1.2 is officially not supported anymore, but I'd like to fix it anyway. The problem is that WY-1.2 was also released as WebYast for SLES (NCC automatically adds the WY repo during SP2 registration).

Nobody dares to touch the NCC config and the problem is that the customers do not know that they should upgrade to ATK-1.3 by downloading extra add-on ISO...

Leaving them with insecure 1.2 version is a bit problematic IMHO, I'd rather fix it also there (anything else but a security problem I'd happily ignore in 1.2).

Fixed by these SR:

Created submit request 29742 to SUSE:SLE-11-SP2:Update:Products:Test
(https://build.suse.de/request/show/29742)

Created submit request 29743 to SUSE:SLE-11-SP1:Update:ATK:1.2:Update:Test
(https://build.suse.de/request/show/29743)

I'll submit openSUSE fixes after the SLE fixes are released.

BTW do not forget to credit "joernchen of Phenoelit" in the patch description, see comment #4.

Please submit openSUSE fixes.

Ok, will do...

Update released for: webyast-base, webyast-base-branding-default, webyast-base-testsuite, webyast-base-ui, webyast-base-ui-branding-default, webyast-base-ui-testsuite
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)

Fixed in openSUSE:

https://build.opensuse.org/request/show/211120 (12.2)
https://build.opensuse.org/request/show/211121 (12.3)
https://build.opensuse.org/request/show/211122 (13.1)

Security team: please, release the patches.

darix suggested to also fix that in the git,
if thats a different branch.

Yes, I'll push the changes to Git, I just want to wait for releasing the openSUSE updates.

openSUSE-SU-2013:1952-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 851116
CVE References: CVE-2013-3709
Sources used:
openSUSE 12.3 (src):    webyast-base-0.3.43.1-1.4.1

openSUSE-SU-2013:1961-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 851116
CVE References: CVE-2013-3709
Sources used:
openSUSE 13.1 (src):    webyast-base-0.3.45.1-2.4.1

The SWAMPID for this issue is 55631.
This issue was rated as important.
Please submit fixed packages until 2014-01-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

The issue is a bit difficult.

ATK 1.2 with Webyast 1.2 is EOLed, however Webyast 1.2 is also added by default
to SLES 11 SP2, which is still maintained.

lets do an update for webyast 1.2 so it gets there.


Test on SLES 11 SP2 addon only

Update released for: webyast-base-ui, webyast-base-ui-branding-default, webyast-base-ui-testsuite
Products:
SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64)

SUSE-SU-2014:0022-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 851116
CVE References: CVE-2013-3709
Sources used:
WebYaST 1.2 (src):    webyast-base-ui-0.2.64-0.3.1