Vulnerability CVE-2011-5098 - CERT Civis.Net

Vulnerability Name:

CVE-2011-5098 (CCN-77670)

Assigned:

2011-06-28

Published:

2011-06-28

Updated:

2012-08-10

Summary:

chef-server-api/app/controllers/clients.rb in Chef Server in Chef before 0.9.20, and 0.10.x before 0.10.6, does not require administrative privileges for creating admin clients, which allows remote authenticated users to bypass intended access restrictions by leveraging read permission for the validation key and executing a knife client create command with the --admin option.

CVSS v3 Severity:

3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2011-5098

Source: CONFIRM
Type: UNKNOWN
http://tickets.opscode.com/browse/CHEF-2649

Source: CCN
Type: OSVDB ID: 84558
Chef chef-server-api/app/controllers/clients.rb --admin Option Knife Client Create Command Parsing Admin Client Creation

Source: CCN
Type: BID-54956
Chef 'clients.rb' Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
chef-clients-sec-bypass(77670)

Source: CCN
Type: Chef GIT Repository
CHEF-2649: Only allow admin clients to create admins (not validators)

Source: CONFIRM
Type: Exploit, Patch
https://github.com/opscode/chef/commit/33f0e9c58bbf047e1b401a834f3abfe72d9a8947

Vulnerable Configuration:

Configuration 1:

cpe:/a:opscode:chef:0.5.1:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.6.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.16:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.16:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:*:*:*:*:*:*:*:* (Version <= 0.9.18)

OR cpe:/a:opscode:chef:0.10.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.10.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.10.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:opscode:chef:0.9.16:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.10:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.7.8:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.10.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.10.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.10.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.9.18:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.16:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.14:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.8.12:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.6.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.6:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.4:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.2:*:*:*:*:*:*:*

OR cpe:/a:opscode:chef:0.5.1:*:*:*:*:*:*:*

Denotes that component is vulnerable