[OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)

Bug #1449260 reported by Brant Knudson on 2015-04-27
270
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Critical
Szymon Wróblewski
Juno
Critical
Brant Knudson
Kilo
Critical
Brant Knudson
OpenStack Security Advisory
High
Tristan Cacqueray

Bug Description

1) Start up Horizon
2) Go to Images
3) Next to an image, pick "Update Metadata"
4) From the dropdown button, select "Update Metadata"
5) In the Custom box, enter a value with some HTML like '</script><script>alert(1)</script>//', click +
6) On the right-hand side, give it a value, like "ee"
7) Click "Save"
8) Pick "Update Metadata" for the image again, the page will fail to load, and the JavaScript console says:

SyntaxError: invalid property id
var existing_metadata = {"

An alternative is if you change the URL to update_metadata for the image (for example, http://192.168.122.239/admin/images/fa62ba27-e731-4ab9-8487-f31bac355b4c/update_metadata/), it will actually display the alert box and a bunch of junk.

I'm not sure if update_metadata is actually a page, though... can't figure out how to get to it other than typing it in.

Brant Knudson (blk-u) wrote :

Looks like this same thing is possible for flavors metadata, too.

Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Brant Knudson (blk-u) wrote :

I was able to open the Update Image Metadata page in a new tab, just right-click on the "Update Metadata" button and select "Open in new Tab"

Doug Fish (drfish) on 2015-04-27
Changed in horizon:
assignee: nobody → Doug Fish (drfish)
Doug Fish (drfish) wrote :

I've spent a bit of time looking at this. I can confirm the problem.

The problem is in our angular metadata widget. When item.leaf.name is used in html such as in horizon/static/angular/metadata-tree/metadata-tree-item.html it needs to be escaped. I'm not sure if that's better accomplished in the template or the js.

Changed in horizon:
status: New → Confirmed
assignee: Doug Fish (drfish) → nobody
Thai Tran (tqtran) on 2015-05-01
Changed in horizon:
assignee: nobody → Thai Tran (tqtran)
Thai Tran (tqtran) wrote :

Fixed!

Changed in horizon:
importance: Undecided → Critical
milestone: none → liberty-1
Jeremy Stanley (fungi) wrote :

A patch was pushed in public to https://review.openstack.org/179429 mentioning the vulnerability and this bug, so we're going to need to assume this is now disclosed and continue working it as a public security bug.

description: updated
information type: Private Security → Public Security
Brant Knudson (blk-u) wrote :

https://review.openstack.org/#/c/179429/ fixes the bug but introduces a new one.

With this patch, the script is not run, so this closes the vulnerability.

The field name is now displayed as "&lt;&#x2f;script&gt;&lt;script&gt;alert(1);&lt;&#x2f;script&gt;" rather than "</script><script>alert(1)</script>" as expected.

Then I tried to update the metadata with a new field "</script><script>alert(2)</script>", and the Update Image Metadata showed an error "Unable to update the image metadata.".

Thanks Brant for the detailed report!

Here is the proposed impact description, can you please confirm that only Kilo is affected and that the "update metadata" page is admin only ?

Title: Persistent XSS in Horizon image metadata dashboard
Reporter: Brant Knudson (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Brant Knudson from IBM reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting a malicious Glance image metadata and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected. All Horizon setups are affected.

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Critical
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Brant Knudson (blk-u) wrote :

For the Reporter, put "Sunil Yadav - IBM Security Services". I didn't find the problem it was a security analysis team we asked to check out Horizon.

Also, I believe that this affects not just glance metadata, but all the other things that have metadata (e.g., flavors).

I'll look into the rest of these if horizon folks don't have the time.

Thierry Carrez (ttx) on 2015-05-04
Changed in ossa:
importance: Critical → High
status: Confirmed → Triaged

Thanks Brant for the feedback. So looking at _update_metadata.html file, it affects image, flavors and aggregates.

Title: Persistent XSS in Horizon metadata dashboard
Reporter: Sunil Yadav (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Sunil Yadav from IBM Security Services reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting malicious metadata to Glance image, Nova flavor or Host Aggregates and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected.

Thai Tran (tqtran) wrote :

While playing around with the widget, something else happened.
Looks like the meta label is not properly deleted either.

Steps to reproduce:
1. Add "<script>something</script>" as meta label
2. Add "asdf" as value
3. Save
3. Go back and delete the meta data
4. Save
5. Go back, the meta data is still there

Thai Tran (tqtran) wrote :

Looks like "/" character breaks the entire thing. As a result, subsequent updates to it will fail. Looking into whether this is front-end or back-end issue.

Brant Knudson (blk-u) wrote :

I tried recreating this on stable/juno devstack (horizon is at http://git.openstack.org/cgit/openstack/horizon/commit/?h=stable/juno&id=db641dccb68ae3ff0bdd70dc7d60dc9605fe31c0 ) and was able to recreate with images. I wasn't able to set the metadata for a flavor to something with HTML in it, I got an error back instead. Maybe it can be done through the REST API.

Changed in horizon:
assignee: Thai Tran (tqtran) → Szymon Wróblewski (bluex)
status: Confirmed → In Progress
Szymon Wróblewski (bluex) wrote :

It was a problem with how data was passed from Django to Angular widget. Commit above should fix this.
It's probably a good time to consider using angular modals and replacing this legacy code passing Django variables with REST endpoints.

Brant Knudson (blk-u) wrote :

Szymon - Which commit?

Reviewed: https://review.openstack.org/179429
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=e7f3e0880f4e311c768c413e43317674cb234515
Submitter: Jenkins
Branch: master

commit e7f3e0880f4e311c768c413e43317674cb234515
Author: Thai Tran <email address hidden>
Date: Fri May 1 10:25:29 2015 -0700

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260

Changed in horizon:
status: In Progress → Fix Committed
sunil (sunilyadav165) on 2015-05-08
Changed in horizon:
status: Fix Committed → Fix Released
Brant Knudson (blk-u) on 2015-05-09
Changed in horizon:
status: Fix Released → Fix Committed
tags: added: icehouse-backport-potential juno-backport-potential kilo-backport-potential

Fixing some typos in the impact description. Is this version good enough to request a CVE with it ?

Title: Persistent XSS in Horizon metadata dashboard
Reporter: Sunil Yadav (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Sunil Yadav from IBM Security Services reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting a malicious metadata to a Glance image, a Nova flavor or a Host Aggregate and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected.

Jeremy Stanley (fungi) wrote :

Assuming the XSS attack risk is only to administrator accounts, that impact description looks fine. Is that page not visible to other users (perhaps to other accounts for the same tenant)?

Changed in ossa:
status: Triaged → In Progress
summary: - Sanitation of metadata label
+ Sanitation of metadata label (CVE-2015-3988)
Brant Knudson (blk-u) wrote :

Using master and deploying with devstack, when I login as the "demo" user I don't see the metadata options.

Brant Knudson (blk-u) wrote :

I was able to verify that this also affects juno and the backport proposed in https://review.openstack.org/#/c/183659/ fixes it.

Nice catch Brant thanks. I've updated the proposed advisory here: http://docs-draft.openstack.org/92/184092/1/check/gate-ossa-docs/788e44f//doc/build/html/_sources/ossa/OSSA-2015-009.txt

Related change: https://review.openstack.org/184092/

Note that the publication date is set to first Monday after the summit.

Reviewed: https://review.openstack.org/183659
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=6c944b5013acb0dce7cf3d8717e58f7f2427be07
Submitter: Jenkins
Branch: stable/juno

commit 6c944b5013acb0dce7cf3d8717e58f7f2427be07
Author: Brant Knudson <email address hidden>
Date: Fri May 15 14:21:31 2015 -0500

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Conflicts:
     horizon/templates/horizon/common/_modal_form_update_metadata.html

    The conflict was that there are extra spaces in the line.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260
    (cherry picked from commit 81e1fa13177c8e259c90183409696305f55cdd75)
    (cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)

tags: added: in-stable-juno

The stable/kilo change is still blocked by jenkins: https://review.openstack.org/183656/

Changed in ossa:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/183656
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=30dde700701040d0d405e7e759a3d73e3b97bf71
Submitter: Jenkins
Branch: stable/kilo

commit 30dde700701040d0d405e7e759a3d73e3b97bf71
Author: Thai Tran <email address hidden>
Date: Fri May 1 10:25:29 2015 -0700

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260
    (cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)

tags: added: in-stable-kilo
summary: - Sanitation of metadata label (CVE-2015-3988)
+ [OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)
Changed in ossa:
status: Fix Committed → Fix Released
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in horizon:
milestone: liberty-1 → 8.0.0
Alan Pevec (apevec) on 2015-11-17
tags: removed: icehouse-backport-potential in-stable-juno in-stable-kilo juno-backport-potential kilo-backport-potential
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers