Login Sign Up

CVE-2020-14325

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2020-14325 is an authorization bypass vulnerability in Red Hat CloudForms that allows attackers to impersonate users and create accounts with super administrator privileges. This enables complete compromise of the CloudForms management system. Organizations running CloudForms versions before 5.11.7.0 are affected.

💻 Affected Systems

Products:
  • Red Hat CloudForms
Versions: All versions before 5.11.7.0
Operating Systems: Red Hat Enterprise Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects CloudForms management appliance deployments. No special configuration required for exploitation.

📦 What is this software?

Cloudforms by Redhat

View all CVEs affecting Cloudforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CloudForms infrastructure allowing attackers to manage virtual machines, modify configurations, access sensitive data, and pivot to other systems in the environment.

🟠

Likely Case

Attackers gain administrative access to CloudForms, enabling them to create/manage VMs, access cloud credentials, and potentially compromise the broader cloud infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized access to CloudForms management interfaces.

🌐 Internet-Facing: HIGH - If CloudForms is exposed to the internet, attackers can remotely exploit this vulnerability without authentication.
🏢 Internal Only: HIGH - Even internally, any user with network access to CloudForms could exploit this vulnerability to gain super administrator privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability allows unauthenticated API access to create super administrator accounts. Exploitation requires network access to CloudForms API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.11.7.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2020-14325

Restart Required: Yes

Instructions:

1. Update CloudForms to version 5.11.7.0 or later via Red Hat Satellite or directly. 2. Apply the update to all CloudForms appliances. 3. Restart the CloudForms services after update completion.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to CloudForms management interfaces to only trusted administrative networks.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="443" accept'
firewall-cmd --reload

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate CloudForms management interfaces from untrusted networks
  • Enable detailed API access logging and monitor for unauthorized user creation or privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check CloudForms version via the web interface (Settings → About) or SSH to appliance and run: cat /var/www/miq/vmdb/VERSION

Check Version:

cat /var/www/miq/vmdb/VERSION

Verify Fix Applied:

Verify version is 5.11.7.0 or higher. Test API endpoints for user impersonation functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized API calls to user creation endpoints
  • Unexpected creation of EvmGroup-super_administrator accounts
  • API requests from unexpected IP addresses

Network Indicators:

  • Unusual API traffic patterns to CloudForms management interfaces
  • Requests to user impersonation endpoints from non-admin sources

SIEM Query:

source="cloudforms" AND (event="user_create" OR event="api_call") AND (user="*super_administrator*" OR status="unauthorized")

📊 Metadata

CVE ID: CVE-2020-14325
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: August 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON