[OSSA-2020-008] Open redirect in workflow forms (CVE-2020-29565)

It looks like we have no validation on the "next" parameter, that is getting passed to the target attribute of the form.

A possible fix could look like this:

diff --git a/horizon/workflows/views.py b/horizon/workflows/views.py
index 9c8fe1a27..2caf969e3 100644
--- a/horizon/workflows/views.py
+++ b/horizon/workflows/views.py
@@ -90,8 +90,14 @@ class WorkflowView(hz_views.ModalBackdropMixin, generic.TemplateView):
         workflow = self.get_workflow()
         workflow.verify_integrity()
         context[self.context_object_name] = workflow
- next = self.request.GET.get(workflow.redirect_param_name)
- context['REDIRECT_URL'] = next
+ redirect_to = self.request.GET.get(workflow.redirect_param_name)
+ # Make sure the requested redirect matches the protocol,
+ # domain, and port of this request
+ if redirect_to and not http.same_origin(
+ request.build_absolute_uri(redirect_to),
+ request.build_absolute_uri()):
+ redirect_to = None
+ context['REDIRECT_URL'] = redirect_to
         context['layout'] = self.get_layout()
         # For consistency with Workflow class
         context['modal'] = 'modal' in context['layout']

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

It's not clear to me how an attacker would alter the "next" GET variable's value supplied by Horizon. Can you elaborate on an actual exploit scenario making use of this trick?

Is the concern that someone might name, say, a server instance as that URL and it will be passed through unaltered similar to bug 1247675? Or is the concern simply that someone may send a maliciously-crafted Horizon URL to someone out of band and socially engineer them into clicking on it? If the latter, I think this may be a duplicate of (still private) bug 1825549.

Horizon security reviewers, can you take a look?

As the value is automatically escaped when inserted into the template, the first scenario is not a concern.

The second scenario is a possibility, and is especially bad, as the request that reaches the malicious server is a POST request, containing all the data from the particular form (which, depending on which workflow is chosen, may contain sensitive data).

There is also another scenario, where this vulnerability is used together with some other vulnerability, like an XSS attack, to circumvent the same-origin restrictions and send harvested data embedded in the next URL to outside server.

I don't have access to bug 1825549 so I can't comment on that.

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

Is there any update on this?

Reviewed: https://review.opendev.org/750207
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=252467100f75587e18df9c43ed5802ee8f0017fa
Submitter: Zuul
Branch: master

commit 252467100f75587e18df9c43ed5802ee8f0017fa
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/752703

Reviewing this and bug 1825549 they are both about lack of validation for the supplied value of the "next" parameter, so probably duplicates. I had classed the other report as merely security hardening, since the reporter apparently did not realize you could directly supply a URL there in some pages and get it to automatically redirect.

This sounds like a classic "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ( https://cwe.mitre.org/data/definitions/601.html ) so probably a class A vulnerability report per https://security.openstack.org/vmt-process.html#incident-report-taxonomy if it can be cleanly patched on all affected stable branches.

Reviewed: https://review.opendev.org/752703
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=baa370f84332ad41502daea29a551705696f4421
Submitter: Zuul
Branch: stable/ussuri

commit baa370f84332ad41502daea29a551705696f4421
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)

Once backports are in review for all of Horizon's supported stable branches, I'll proceed with requesting a CVE assignment and issuing an advisory.

Jeremy, what stable branches are in question? Is it enough to backport the patch to all branches in the maintained phase in https://releases.openstack.org/? Or Should we include "extended maintenance" branches?

Yes, that's what we attempt to convey at https://security.openstack.org/vmt-process.html#supported-versions but I'll push an update for that text to use current release team terminology and link to the releases site.

Once backports are in review for all affected stable branches which are in a Maintained state per the table on the main page of the releases site, we can issue an advisory. If someone also wants to add patches for branches which are under Extended Maintenance then those can be included in the advisory as a convenience, but they are not required for us to be able to move forward with it.

Fix proposed to branch: stable/train
Review: https://review.opendev.org/758841

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/758843

Thanks Jeremy for the clarification.
I just pushed backports to all stable branches in the "maintained" phase.
(Regarding more backports to EM branches, I will discuss with other horizon stable cores.)

First impact draft below, please review and suggest changes where needed.

@Radomir Dopieralski is there any organization/company you are affiliated with?

------------

Title: Open redirect possible in Horizon workflow forms
Reporter: Radomir Dopieralski ()
Products: Horizon
Affects: <18.6.0, <18.3.2, <=16.2.0, <=15.3.1

Description:
Radomir Dopieralski () reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Hi Gage, do you have a CVE# from Mitre for this? Also, Radomir is Red Hat and raised this bug on behalf of a report by Pritam Singh <email address hidden>. thanks, Summer

Not yet, once this draft is approved by the maintainers, I will request a CVE#.

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: <18.6.0, <18.3.2, <=16.2.0, <=15.3.1

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: >=18.4.0 <18.6.0, >=17.0.0 <18.3.2, <=16.2.0, <=15.3.1

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Gage's impact description in comment #22 looks good to me, except for some slight adjustments to the affected versions line. We typically list affected versions from oldest to newest, and do a strictly less than (<) the next possible point release version for the branch, using an inclusive greater than or equal (>=) to indicate the start of any new ranges of affected releases, with commas (,) separating distinct ranges. The goal is that the resulting list of ranges remains correct after publication without us needing to know what the upcoming version numbers will necessarily be.

In this case, since the master branch fix merged before the Victoria release (leaving stable/victoria unaffected), the stable/ussuri backport merged but has not been tagged with a point release yet, and the remaining backports for stable/train and stable/stein are still under review, I would recommend the following series of affected version ranges:

    "<15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3"

This effectively means that we consider any tagged versions lower than 15.3.2 affected (no tag for this exists but it is the next lowest possible release number for the stable/stein branch). Similarly the 16.0.0 release and any subsequent releases less than 16.2.1 are affected (there is no 16.2.1 on stable/train and may never be, but any version numbers defined by that range are affected). Similarly for the stable/ussuri versions starting from 17.0.0 and less than 18.3.3 (next lowest possible point release on that branch).

Reviewed: https://review.opendev.org/758841
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=6c208edf323ced07b15ec4bc3879bddb91d398bc
Submitter: Zuul
Branch: stable/train

commit 6c208edf323ced07b15ec4bc3879bddb91d398bc
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Conflicts:
            horizon/test/unit/workflows/test_workflows.py

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)
    (cherry picked from commit baa370f84332ad41502daea29a551705696f4421)

Reviewed: https://review.opendev.org/758843
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=9e0e333ab5277b6c396f602862ff90398cb0242b
Submitter: Zuul
Branch: stable/stein

commit 9e0e333ab5277b6c396f602862ff90398cb0242b
Author: Radomir Dopieralski <email address hidden>
Date: Mon Sep 7 21:03:36 2020 +0200

    Fix open redirect

    Make sure the "next" URL is in the same origin as Horizon before
    redirecting to it.

    Conflicts:
            horizon/test/unit/workflows/test_workflows.py

    Change-Id: I06b2bfc8e3638591615547780c3fa34b0abe19f6
    Closes-bug: #1865026
    (cherry picked from commit 252467100f75587e18df9c43ed5802ee8f0017fa)
    (cherry picked from commit baa370f84332ad41502daea29a551705696f4421)
    (cherry picked from commit 6c208edf323ced07b15ec4bc3879bddb91d398bc)

Any news on CVE assignment?

Revisiting more recent release activity since comment #23, this is what the affects line should include now:

<15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3, >=18.4.0 <18.6.0

15.3.2 was tagged with the fix before stable/stein transitioned to extended maintenance and all versions prior to it are assumed to be affected.

The first stable/train tag is 16.0.0 and most recent is 16.2.0, and the fix there has not been released yet so the earliest tag it could appear in would be 16.2.1.

The first stable/ussuri tag is 17.0.0 and most recent is 18.3.2, and the fix there has not been released yet so the earliest tag it could appear in would be 18.3.3.

The first stable/victoria tag is 18.4.0 and the fix there appeared in 18.6.0.

Updated, please review:

Title: Open redirect possible in Horizon workflow forms
Reporter: Pritam Singh (Red Hat)
Products: Horizon
Affects: <15.3.2, >=16.0.0 <16.2.1, >=17.0.0 <18.3.3, >=18.4.0 <18.6.0

Description:
Pritam Singh (Red Hat) reported a vulnerability in Horizon's workflow forms. Previously there was a lack of validation on the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.

Gage, your updated impact description in comment #28 looks great, thanks! You should be able to base a CVE request on that and push up an OSSA change with a CVE placeholder in the meantime.

OSSA gerrit: https://review.opendev.org/c/openstack/ossa/+/765388

CVE is pending.

Looks like CVE-2020-29565 has been assigned to this issue:
https://nvd.nist.gov/vuln/detail/CVE-2020-29565

OSSA-2020-008 has been published to relevant mailing lists and the https://security.openstack.org/ site.

This issue was fixed in the openstack/horizon 16.2.1 release.

This issue was fixed in the openstack/horizon 18.3.3 release.

This issue was fixed in the openstack/horizon pike-eol release.

This issue was fixed in the openstack/horizon queens-eol release.

This issue was fixed in the openstack/horizon rocky-eol release.