Mirantis OpenStack

Nova console Cross-Site WebSocket hijacking

Bug #1420273 reported by Roman Podoliaka
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Roman Podoliaka
Mirantis OpenStack 6.1
5.0.x
Won't Fix
Critical
Denis Meltsaykin
Mirantis OpenStack 5.0-updates
5.1.x
Fix Released
Critical
Denis Meltsaykin
Mirantis OpenStack 5.1.1-mu-1
6.0.x
Fix Released
Critical
Denis Meltsaykin
Mirantis OpenStack 6.0-mu-1
6.1.x
Fix Released
High
Roman Podoliaka
Mirantis OpenStack 6.1

Bug Description

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Nova console Cross-Site WebSocket hijacking
Reporter: Brian Manifold (Cisco)
Products: Nova
Versions: up to 2014.1.3 and 2014.2 versions up to 2014.2.2

Description:
Brian Manifold from Cisco reported a vulnerability in Nova console websocket.
By tricking an authenticated user into clicking a malicious URL, a remote
attacker may trigger a cross-site-websocket-hijacking vulnerability resulting
in potential hijack of consoles where the user is still logged in. Only Nova
setups with vnc or spice enabled are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse, stable/juno and master on the public
disclosure date.

CVE: CVE-2015-0259

Proposed public disclosure date/time:
2015-02-12, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

CVE References

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Waiting for the vulnerability to be disclosed and the fix to be merged to stable/juno

Roman Podoliaka (rpodolyaka)
no longer affects: mos/7.0.x
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

New patches are available (attached above), new proposed public disclosure date/time is 2015-03-10, 1500UTC

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Another set of patches was sent out, according to the email another error have been discovered in the last proposed patch: a typo
renders the VNC proxy unusable. The disclosure date remains the same, 2015-03-10, 1500UTC

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

For 6.1 fixed in https://review.fuel-infra.org/#/c/4652/

information type: Private Security → Public Security
Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package nova has been built for project openstack/nova
Package version == 2014.2.2, package release == fuel6.0.1.mira6

Changeset: https://review.fuel-infra.org/4841
project: openstack/nova
branch: openstack-ci/fuel-6.0.1/2014.2
author: Oleg Bondarev
committer: Oleg Bondarev
subject: Fix orphaned ports on build failure
status: change-merged

Files placed on repository:
openstack-nova-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-api-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-cells-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-cert-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-common-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-compute-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-conductor-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-console-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-doc-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-network-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-novncproxy-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-objectstore-2014.2.2-fuel6.0.1.mira6.noarch.rpm
openstack-nova-scheduler-2014.2.2-fuel6.0.1.mira6.noarch.rpm
python-nova-2014.2.2-fuel6.0.1.mira6.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0.1-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package nova has been built for project openstack/nova
Package version == 2014.2.2, package release == fuel6.0.1~mira6

Changeset: https://review.fuel-infra.org/4841
project: openstack/nova
branch: openstack-ci/fuel-6.0.1/2014.2
author: Oleg Bondarev
committer: Oleg Bondarev
subject: Fix orphaned ports on build failure
status: change-merged

Files placed on repository:
nova-ajax-console-proxy_2014.2.2-fuel6.0.1~mira6_all.deb
nova-api-ec2_2014.2.2-fuel6.0.1~mira6_all.deb
nova-api-metadata_2014.2.2-fuel6.0.1~mira6_all.deb
nova-api-os-compute_2014.2.2-fuel6.0.1~mira6_all.deb
nova-api-os-volume_2014.2.2-fuel6.0.1~mira6_all.deb
nova-api_2014.2.2-fuel6.0.1~mira6_all.deb
nova-baremetal_2014.2.2-fuel6.0.1~mira6_all.deb
nova-cells_2014.2.2-fuel6.0.1~mira6_all.deb
nova-cert_2014.2.2-fuel6.0.1~mira6_all.deb
nova-common_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-kvm_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-libvirt_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-lxc_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-qemu_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-vmware_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute-xen_2014.2.2-fuel6.0.1~mira6_all.deb
nova-compute_2014.2.2-fuel6.0.1~mira6_all.deb
nova-conductor_2014.2.2-fuel6.0.1~mira6_all.deb
nova-console_2014.2.2-fuel6.0.1~mira6_all.deb
nova-consoleauth_2014.2.2-fuel6.0.1~mira6_all.deb
nova-doc_2014.2.2-fuel6.0.1~mira6_all.deb
nova-network_2014.2.2-fuel6.0.1~mira6_all.deb
nova-novncproxy_2014.2.2-fuel6.0.1~mira6_all.deb
nova-objectstore_2014.2.2-fuel6.0.1~mira6_all.deb
nova-scheduler_2014.2.2-fuel6.0.1~mira6_all.deb
nova-spiceproxy_2014.2.2-fuel6.0.1~mira6_all.deb
nova-volume_2014.2.2-fuel6.0.1~mira6_all.deb
nova-xvpvncproxy_2014.2.2-fuel6.0.1~mira6_all.deb
python-nova_2014.2.2-fuel6.0.1~mira6_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0.1-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package nova has been built for project openstack/nova
Package version == 2014.2, package release == fuel6.0.mira21

Changeset: https://review.fuel-infra.org/4532
project: openstack/nova
branch: openstack-ci/fuel-6.0-updates/2014.2
author: Alexandr Nevenchannyy
committer: Alexandr Nevenchannyy
subject: Fix VNC access, when reverse DNS lookups fail
status: change-merged

Files placed on repository:
openstack-nova-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-api-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-cells-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-cert-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-common-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-compute-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-conductor-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-console-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-doc-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-network-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-novncproxy-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-objectstore-2014.2-fuel6.0.mira21.noarch.rpm
openstack-nova-scheduler-2014.2-fuel6.0.mira21.noarch.rpm
python-nova-2014.2-fuel6.0.mira21.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package nova has been built for project openstack/nova
Package version == 2014.2, package release == fuel6.0~mira21

Changeset: https://review.fuel-infra.org/4532
project: openstack/nova
branch: openstack-ci/fuel-6.0-updates/2014.2
author: Alexandr Nevenchannyy
committer: Alexandr Nevenchannyy
subject: Fix VNC access, when reverse DNS lookups fail
status: change-merged

Files placed on repository:
nova-ajax-console-proxy_2014.2-fuel6.0~mira21_all.deb
nova-api-ec2_2014.2-fuel6.0~mira21_all.deb
nova-api-metadata_2014.2-fuel6.0~mira21_all.deb
nova-api-os-compute_2014.2-fuel6.0~mira21_all.deb
nova-api-os-volume_2014.2-fuel6.0~mira21_all.deb
nova-api_2014.2-fuel6.0~mira21_all.deb
nova-baremetal_2014.2-fuel6.0~mira21_all.deb
nova-cells_2014.2-fuel6.0~mira21_all.deb
nova-cert_2014.2-fuel6.0~mira21_all.deb
nova-common_2014.2-fuel6.0~mira21_all.deb
nova-compute-kvm_2014.2-fuel6.0~mira21_all.deb
nova-compute-libvirt_2014.2-fuel6.0~mira21_all.deb
nova-compute-lxc_2014.2-fuel6.0~mira21_all.deb
nova-compute-qemu_2014.2-fuel6.0~mira21_all.deb
nova-compute-vmware_2014.2-fuel6.0~mira21_all.deb
nova-compute-xen_2014.2-fuel6.0~mira21_all.deb
nova-compute_2014.2-fuel6.0~mira21_all.deb
nova-conductor_2014.2-fuel6.0~mira21_all.deb
nova-console_2014.2-fuel6.0~mira21_all.deb
nova-consoleauth_2014.2-fuel6.0~mira21_all.deb
nova-doc_2014.2-fuel6.0~mira21_all.deb
nova-network_2014.2-fuel6.0~mira21_all.deb
nova-novncproxy_2014.2-fuel6.0~mira21_all.deb
nova-objectstore_2014.2-fuel6.0~mira21_all.deb
nova-scheduler_2014.2-fuel6.0~mira21_all.deb
nova-spiceproxy_2014.2-fuel6.0~mira21_all.deb
nova-volume_2014.2-fuel6.0~mira21_all.deb
nova-xvpvncproxy_2014.2-fuel6.0~mira21_all.deb
python-nova_2014.2-fuel6.0~mira21_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable/ubuntu

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/nova (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/4380
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 4e78a59b078e150be6afee0d674c557d289b6ff0
Author: Dave McCowan <email address hidden>
Date: Tue Mar 10 10:25:11 2015

Websocket Proxy should verify Origin header

From: Dave McCowan <email address hidden>
Date: Tue, 24 Feb 2015 21:35:48 -0500
Subject: [PATCH] Websocket Proxy should verify Origin header

If the Origin HTTP header passed in the WebSocket handshake does
not match the host, this could indicate an attempt at a
cross-site attack. This commit adds a check to verify
the origin matches the host.

Change-Id: I16c3700828bf391a37abbab4b6daab8ce9b0d791
Closes-Bug: #1420273

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/nova (openstack-ci/fuel-5.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/4382
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1-updates/2014.1.1

Commit: 12c7b428670db12c2d37dd1c16d9ba728639d6da
Author: Denis Meltsaykin <email address hidden>
Date: Mon Jun 29 12:41:33 2015

Websocket Proxy should verify Origin header

From: Dave McCowan <email address hidden>
Date: Wed, 25 Feb 2015 02:35:48 +0000 (-0500)
Subject: Websocket Proxy should verify Origin header

If the Origin HTTP header passed in the WebSocket handshake does
not match the host, this could indicate an attempt at a
cross-site attack. This commit adds a check to verify
the origin matches the host.

Change-Id: Ib576c9ab136d18d04f1f987ea5d06906d9ec921d
Closes-Bug: #1420273

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Looks like this issue was successfully fixed for MOS 6.1, status changed to Fix Released.

Alexander Gubanov (ogubanov)
Changed in mos:
status: Fix Committed → Fix Released
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/nova (openstack-ci/fuel-5.1.2/2014.1.1)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: openstack-ci/fuel-5.1.2/2014.1.1
Review: https://review.fuel-infra.org/4376
Reason: not needed

Adam Heczko (aheczko-mirantis)
tags: added: feature-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.