Red Hat Issues Critical Patch for Pulpcore Authentication Bypass Flaw (CVE-2024-7923)
Red Hat has issued a critical security advisory warning of an authentication bypass vulnerability (CVE-2024-7923) in Pulpcore, a content management system used in Red Hat Satellite deployments. The vulnerability, with a CVSS score of 9.8, could allow unauthorized users to gain administrative access, potentially leading to a complete system compromise.
The Flaw
The vulnerability emerges when Pulpcore (version 3.0+) is deployed with Gunicorn versions prior to 22.0. The issue lies in how Apache’s mod_proxy handles HTTP headers, specifically related to the restrictions on underscores in headers. Apache mod_proxy fails to correctly unset or filter out malformed HTTP headers, leaving room for attackers to inject malicious headers that trick the system into granting unauthorized access.
Attackers can exploit this flaw by crafting a malformed authentication header, allowing them to bypass the usual security checks and potentially gain administrative control over vulnerable systems. Given the administrative privileges involved, this vulnerability represents a significant risk for any organization using affected Satellite deployments, as attackers could compromise critical system operations.
Impact and Urgency
The flaw affects all active Red Hat Satellite deployments (versions 6.13, 6.14, and 6.15) that utilize Pulpcore version 3.0 or later. The potential for unauthorized administrative access makes this a critical vulnerability that demands immediate attention.
Mitigation
This flaw was fixed in Foreman 3.10.1, 3.11.2, 3.12.0. RedHat has responded swiftly by issuing a patch to address CVE-2024-7923. Users are strongly urged to update their Pulpcore and Gunicorn installations to the latest patched versions as soon as possible.
