Red Hat OpenShift Enterprise Authentication Bypass Vulnerability
9 Jun. 2014
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to a passthrough trigger.
The information has been provided by Kurt Seifried.
* Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier
* Red Hat OpenShift Enterprise 2.0.6 and later
The remote-user auth plugin provides an httpd config file intended to require authentication before setting the REMOTE_USER env var which is passed on to the plugin. However there are passthrough provisions for other forms of auth; in particular, the management console is allowed to set the X-Remote-User header on a request and have that transmuted to the REMOTE_USER env var (by virtue of being a non-proxied local request). When the REMOTE_USER env var is set, the remote-user plugin automatically trusts it. By combining the X-Remote-User header with one of the other passthrough triggers, any user can be impersonated without authenticating at all.