Foreman Command Injection Vulnerability in WebSocket Proxy Allowing Remote Code Execution

A command injection vulnerability has been identified in Foreman's WebSocket proxy implementation, affecting versions through 3.17.0. This vulnerability allows remote code execution on the Foreman server. It arises from the use of unsanitized hostname values from compute resource providers, which are incorporated into shell commands. An attacker could exploit this by operating a malicious compute resource server, such as VMware vSphere or Libvirt, and then accessing the VM VNC console functionality. Successful exploitation could lead to the compromise of sensitive credentials and the entire managed infrastructure.

Impact

Exploitation of this vulnerability allows for remote code execution on the Foreman server, with the executed code running as the Foreman user. This access includes Foreman's database credentials and encryption keys, enabling the decryption of all stored infrastructure credentials, such as vCenter, AWS, SSH keys, and API tokens. Consequently, an attacker could pivot and compromise the entire managed infrastructure.

Reproduction

To reproduce this vulnerability, first, operate a malicious vSphere server that returns poisoned hostname values. Then, configure this server as a compute resource in Foreman. After setting up the malicious server, access the VM console functionality through the Foreman UI. This will trigger the exploitation, leading to remote code execution on the Foreman server.

Remediation

A patch for this vulnerability is available, but it needs to be reviewed and verified.