CVE-2024-7012
📋 TL;DR
An authentication bypass vulnerability in Foreman with External Authentication allows attackers to gain administrative access by exploiting Apache mod_proxy's handling of HTTP headers with underscores. This affects all active Satellite deployments (versions 6.13, 6.14, and 6.15) and could lead to complete system compromise.
💻 Affected Systems
- Red Hat Satellite
- Foreman
📦 What is this software?
Satellite by Redhat
Satellite by Redhat
Satellite by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized attackers gain administrative access to Satellite/Foreman systems, enabling complete control over managed infrastructure, credential theft, and lateral movement to connected systems.
Likely Case
Attackers bypass authentication to access administrative interfaces, modify configurations, deploy malicious content, or extract sensitive data from managed systems.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Foreman/Satellite system itself, though administrative compromise remains significant.
🎯 Exploit Status
Exploitation requires sending malformed HTTP headers with underscores to bypass authentication checks. No authentication is required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Satellite 6.13.z, 6.14.z, 6.15.z (see specific errata)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-7012
Restart Required: Yes
Instructions:
1. Apply relevant Red Hat errata (RHSA-2024:6335, RHSA-2024:6336, RHSA-2024:6337, or RHSA-2024:8906). 2. Restart Apache and Foreman services. 3. Verify the patch is applied and test authentication functionality.
🔧 Temporary Workarounds
Configure Apache to reject headers with underscores
linuxModify Apache configuration to reject HTTP headers containing underscores, which prevents the malformed header exploitation.
Add 'AllowUnderscoreHeaders Off' to Apache configuration files for Foreman/Satellite virtual hosts
Restrict network access to Foreman/Satellite
linuxLimit access to Foreman/Satellite web interfaces to trusted networks only using firewall rules.
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Foreman/Satellite systems from untrusted networks
- Enable detailed logging and monitoring for authentication bypass attempts and unusual administrative activities
🔍 How to Verify
Check if Vulnerable:
Check if running Satellite 6.13, 6.14, or 6.15 with External Authentication configured. Review Apache configuration for mod_proxy usage with Foreman.Check Version:
rpm -q satelliteVerify Fix Applied:
Verify Satellite version is updated to patched release and test authentication with malformed headers containing underscores (should be rejected).📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access with unusual headers
- Apache access logs showing requests with headers containing underscores to authentication endpoints
Network Indicators:
- HTTP requests to Foreman/Satellite with headers containing underscores in authentication paths
- Unusual administrative activity from previously unknown IP addresses
SIEM Query:
source="apache_access" AND (uri_path="/users/extlogin" OR uri_path="/api/v2/users/extlogin") AND http_headers="*_*"