[Openstack-security] [Bug 1409142] Related fix merged to nova (master)

OpenStack Infra 1409142 at bugs.launchpad.net
Thu Apr 9 10:30:49 UTC 2015 

Reviewed:  https://review.openstack.org/169752
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9
Submitter: Jenkins
Branch:    master

commit 2ffcf18d00eff6fb0777769469c4aa5ac7bbb6c9
Author: Nikola Dipanov <ndipanov at redhat.com>
Date:   Wed Apr 1 14:35:13 2015 +0100

    consoleauth: Store access_url on token authorization
    
    Related-bug: 1409142
    
    As part of the fix for the related bug - we've added protocol checking
    to mitigate MITM attacks, however we base protocol checking on a config
    option that is normally only intended for compute hosts.
    
    This is quite user hostile, as it is now important that all nodes
    running compute and proxy services have this option in sync.
    
    We can do better than that - we can persist the URL the client is
    expected to use, and once we get it back on token validation, we can
    make sure that the request is using the intended protocol, mitigating
    the MITM injected script attacks.
    
    This patch makes sure that the access_url is persisted with the token -
    the follow-up patch makes consoles use that info.
    
    Change-Id: I02a377f54de46536ca35413b615d3298967afc33

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1409142

Title:
  [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server
  (CVE-2015-0259)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) icehouse series:
  Fix Released
Status in OpenStack Compute (nova) juno series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added as to
  the bug as attachments.

  OpenStack Vulnerability Team:

  Brian Manifold (bmanifol at cisco.com) from Cisco has discovered a
  vulnerability in the Nova VNC server implementation. We have a patch for
  this vulnerability and consider this a very high risk.

  Please email Dave McCowan (dmccowan at cisco.com) for more details on the
  attached patch.

  Issue Details:

  Horizon uses a VNC client which uses websockets to pass information.  The
  Nova VNC server does not validate the origin of the websocket request,
  which allows an attacker to make a websocket request from another domain.
  If the victim opens both an attacker's site and the VNC console
  simultaneously, or if the victim has recently been using the VNC console
  and then visits the attacker's site, the attacker can make a websocket
  request to the Horizon domain and proxy the connection to another
  destination.

  This gives the attacker full read-write access to the VNC console of any
  instance recently accessed by the victim.

  Recommendation:
   Verify the origin field in request header on all websocket requests.

  Threat:
        CWE-345
   * Insufficient Verification of Data Authenticity -- The software does not
  sufficiently verify the origin or authenticity of data, in a way that
  causes it to accept invalid data.

        CWE-346
   * Origin Validation Error -- The software does not properly verify that
  the source of data or communication is valid.

        CWE-441
   * Unintended Proxy or Intermediary ('Confused Deputy') -- The software
  receives a request, message, or directive from an upstream component, but
  the software does not sufficiently preserve the original source of the
  request before forwarding the request to an external actor that is outside
  of the software's control sphere. This causes the software to appear to be
  the source of the request, leading it to act as a proxy or other
  intermediary between the upstream component and the external actor.

  Steps to reproduce:
   1. Login to horizon
   2. Pick an instance, go to console/vnc tab, wait for console to be loaded
   3. In another browser tab or window, load a VNC console script from local
  disk or remote site
   4. Point the newly loaded VNC console to the VNC server and a connection
  is made
  Result:
   The original connection has been been hijacked by the second connection

  Root cause:
   Cross-Site WebSocket Hijacking is concept that has been written about in
  various security blogs.
  One of the recommended countermeasures is to check the Origin header of
  the WebSocket handshake request.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1409142/+subscriptions

More information about the Openstack-security mailing list