CVE-2024-4871
📋 TL;DR
This vulnerability in Satellite allows man-in-the-middle attacks when running remote execution jobs because SSH host key verification is disabled. Attackers can intercept connections, steal secrets from jobs, or cause denial of service. Organizations using Satellite for remote execution are affected.
💻 Affected Systems
- Red Hat Satellite
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept SSH connections, steal sensitive secrets from remote execution jobs, and use those credentials to gain unauthorized access to managed systems.
Likely Case
Attackers perform man-in-the-middle attacks to intercept and modify remote execution jobs, potentially stealing credentials or causing job failures.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential job failures or minor data leakage within controlled environments.
🎯 Exploit Status
Exploitation requires network access to intercept SSH traffic between Satellite and managed hosts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Satellite 6.14 with errata RHBA-2024:4589 or later
Vendor Advisory: https://access.redhat.com/errata/RHBA-2024:4589
Restart Required: Yes
Instructions:
1. Update Satellite via 'yum update satellite' 2. Apply the errata RHBA-2024:4589 3. Restart Satellite services 4. Verify SSH key checking is enabled
🔧 Temporary Workarounds
Disable remote execution
linuxTemporarily disable remote execution jobs until patched
satellite-installer --disable-foreman-proxy-plugin-remote-execution-ssh
Network segmentation
allIsolate Satellite server and managed hosts on separate VLANs
🧯 If You Can't Patch
- Implement strict network segmentation between Satellite and managed hosts
- Monitor SSH connections for unexpected host key changes or MITM indicators
🔍 How to Verify
Check if Vulnerable:
Check Satellite version: 'rpm -q satellite' and verify if below 6.14 with RHBA-2024:4589Check Version:
rpm -q satelliteVerify Fix Applied:
Verify SSH connections now check host keys by testing remote execution jobs and checking for StrictHostKeyChecking=no in logs📡 Detection & Monitoring
Log Indicators:
- SSH connections with 'StrictHostKeyChecking=no'
- Unexpected host key changes in /var/log/foreman-proxy/proxy.log
Network Indicators:
- SSH traffic interception between Satellite and managed hosts
- Unexpected SSH key exchanges
SIEM Query:
source="/var/log/foreman-proxy/proxy.log" AND "StrictHostKeyChecking=no"