[openstack-dev] [OSSN 0044] Older versions of noVNC allow session theft

Solly Ross sross at redhat.com
Mon Mar 2 21:56:45 UTC 2015


Hi!

I just wanted to note that noVNC 0.5.1 is slated to be in Fedora 22 and
is currently in EPEL testing for EPEL 6 and EPEL 7
(https://apps.fedoraproject.org/packages/novnc).

Best Regards,
Solly Ross

----- Original Message -----
> From: "Nathan Kinder" <nkinder at redhat.com>
> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
> Sent: Monday, March 2, 2015 4:09:06 PM
> Subject: [openstack-dev] [OSSN 0044] Older versions of noVNC allow session	theft
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Older versions of noVNC allow session theft
> - ---
> 
> ### Summary ###
> Commonly packaged versions of noVNC allow an attacker to hijack user
> sessions even when TLS is enabled. noVNC fails to set the secure flag
> when setting cookies containing an authentication token.
> 
> ### Affected Services / Software ###
> Nova, when embedding noVNC prior to v0.5
> 
> ### Discussion ###
> Versions of noVNC prior to October 28, 2013 do not properly set the
> secure flag on cookies for pages served over TLS. Since noVNC stores
> authentication tokens in these cookies, an attacker who can modify
> user traffic can steal these tokens and connect to the VNC session.
> 
> Affected deployments can be identified by looking for the "secure"
> flag on the token cookie set by noVNC on TLS-enabled installations. If
> the secure flag is missing, the installation is vulnerable.
> 
> At the time of writing, Debian, Ubuntu and Fedora do not provide
> versions of this package with the appropriate patch.
> 
> ### Recommended Actions ###
> noVNC should be updated to version 0.5 or later. If this is not
> possible, the upstream patch should be applied individually.
> 
> Upstream patch:
> https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd
> 
> ### Contacts / References ###
> This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0044
> Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1420942
> OpenStack Security ML : openstack-security at lists.openstack.org
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
> CVE: in progress-http://www.openwall.com/lists/oss-security/2015/02/17/1
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBAgAGBQJU9NFyAAoJEJa+6E7Ri+EV5soH/3xK10vI3I4CM8Uhyk8pZcgA
> 5+s7ukrcQWymExN4XGDRB5b2hwfmTpHjOJAkgLNvP7edNezE6QvXit6cBBNoXUo2
> nW/iC7QKmu7oS56F+OpqFf+PZNmxDqCF40ec9pjt0id5V/1cvePH+Vc9Kuus6Lig
> LwsIG4A8tRiCsN5d2OOdGULSBhCN/yCdDKbf2mdaB4Ebimb2+6c7Nfs1iskOIZAm
> Me0jC2a0rPP07Fh5dnS+4uDkAk+BU5UIrs64Ua63AQuvC6evHnMF6uByrFdATxk7
> DgDftsY/4ahexV6rTIBvjzbTngmOGWaegknH1dE2Peuv32fe6v3c68LD8lG6BgM=
> =SUiL
> -----END PGP SIGNATURE-----
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list