[OSSA 2015-009] Sanitation of metadata label (CVE-2015-3988)

Looks like this same thing is possible for flavors metadata, too.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

I was able to open the Update Image Metadata page in a new tab, just right-click on the "Update Metadata" button and select "Open in new Tab"

I've spent a bit of time looking at this. I can confirm the problem.

The problem is in our angular metadata widget. When item.leaf.name is used in html such as in horizon/static/angular/metadata-tree/metadata-tree-item.html it needs to be escaped. I'm not sure if that's better accomplished in the template or the js.

Fixed!

A patch was pushed in public to https://review.openstack.org/179429 mentioning the vulnerability and this bug, so we're going to need to assume this is now disclosed and continue working it as a public security bug.

https://review.openstack.org/#/c/179429/ fixes the bug but introduces a new one.

With this patch, the script is not run, so this closes the vulnerability.

The field name is now displayed as "&lt;&#x2f;script&gt;&lt;script&gt;alert(1);&lt;&#x2f;script&gt;" rather than "</script><script>alert(1)</script>" as expected.

Then I tried to update the metadata with a new field "</script><script>alert(2)</script>", and the Update Image Metadata showed an error "Unable to update the image metadata.".

Thanks Brant for the detailed report!

Here is the proposed impact description, can you please confirm that only Kilo is affected and that the "update metadata" page is admin only ?

Title: Persistent XSS in Horizon image metadata dashboard
Reporter: Brant Knudson (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Brant Knudson from IBM reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting a malicious Glance image metadata and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected. All Horizon setups are affected.

For the Reporter, put "Sunil Yadav - IBM Security Services". I didn't find the problem it was a security analysis team we asked to check out Horizon.

Also, I believe that this affects not just glance metadata, but all the other things that have metadata (e.g., flavors).

I'll look into the rest of these if horizon folks don't have the time.

Thanks Brant for the feedback. So looking at _update_metadata.html file, it affects image, flavors and aggregates.

Title: Persistent XSS in Horizon metadata dashboard
Reporter: Sunil Yadav (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Sunil Yadav from IBM Security Services reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting malicious metadata to Glance image, Nova flavor or Host Aggregates and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected.

While playing around with the widget, something else happened.
Looks like the meta label is not properly deleted either.

Steps to reproduce:
1. Add "<script>something</script>" as meta label
2. Add "asdf" as value
3. Save
3. Go back and delete the meta data
4. Save
5. Go back, the meta data is still there

Looks like "/" character breaks the entire thing. As a result, subsequent updates to it will fail. Looking into whether this is front-end or back-end issue.

I tried recreating this on stable/juno devstack (horizon is at http://git.openstack.org/cgit/openstack/horizon/commit/?h=stable/juno&id=db641dccb68ae3ff0bdd70dc7d60dc9605fe31c0 ) and was able to recreate with images. I wasn't able to set the metadata for a flavor to something with HTML in it, I got an error back instead. Maybe it can be done through the REST API.

It was a problem with how data was passed from Django to Angular widget. Commit above should fix this.
It's probably a good time to consider using angular modals and replacing this legacy code passing Django variables with REST endpoints.

Szymon - Which commit?

https://review.openstack.org/#/c/179429/

Reviewed: https://review.openstack.org/179429
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=e7f3e0880f4e311c768c413e43317674cb234515
Submitter: Jenkins
Branch: master

commit e7f3e0880f4e311c768c413e43317674cb234515
Author: Thai Tran <email address hidden>
Date: Fri May 1 10:25:29 2015 -0700

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260

Fixing some typos in the impact description. Is this version good enough to request a CVE with it ?

Title: Persistent XSS in Horizon metadata dashboard
Reporter: Sunil Yadav (IBM)
Products: Horizon
Affects: version 2015.1.0

Description:
Sunil Yadav from IBM Security Services reported a persistent XSS in Horizon. An authenticated user may conduct a persistent XSS attack by setting a malicious metadata to a Glance image, a Nova flavor or a Host Aggregate and tricking an administrator to load the update metadata page. Once executed in a legitimate context this attack may result in a privilege escalation. All Horizon setups are affected.

Assuming the XSS attack risk is only to administrator accounts, that impact description looks fine. Is that page not visible to other users (perhaps to other accounts for the same tenant)?

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/183656

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/183659

Maybe this problem doesn't exist in icehouse... I can't find similar code.

 http://git.openstack.org/cgit/openstack/horizon/tree/openstack_dashboard/dashboards/project/containers/templates/containers/_container_metadata.html?h=stable/icehouse

Using master and deploying with devstack, when I login as the "demo" user I don't see the metadata options.

I was able to verify that this also affects juno and the backport proposed in https://review.openstack.org/#/c/183659/ fixes it.

Nice catch Brant thanks. I've updated the proposed advisory here: http://docs-draft.openstack.org/92/184092/1/check/gate-ossa-docs/788e44f//doc/build/html/_sources/ossa/OSSA-2015-009.txt

Related change: https://review.openstack.org/184092/

Note that the publication date is set to first Monday after the summit.

Reviewed: https://review.openstack.org/183659
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=6c944b5013acb0dce7cf3d8717e58f7f2427be07
Submitter: Jenkins
Branch: stable/juno

commit 6c944b5013acb0dce7cf3d8717e58f7f2427be07
Author: Brant Knudson <email address hidden>
Date: Fri May 15 14:21:31 2015 -0500

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Conflicts:
     horizon/templates/horizon/common/_modal_form_update_metadata.html

    The conflict was that there are extra spaces in the line.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260
    (cherry picked from commit 81e1fa13177c8e259c90183409696305f55cdd75)
    (cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)

The stable/kilo change is still blocked by jenkins: https://review.openstack.org/183656/

Reviewed: https://review.openstack.org/183656
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=30dde700701040d0d405e7e759a3d73e3b97bf71
Submitter: Jenkins
Branch: stable/kilo

commit 30dde700701040d0d405e7e759a3d73e3b97bf71
Author: Thai Tran <email address hidden>
Date: Fri May 1 10:25:29 2015 -0700

    Sanitation of metadata passed from Django

    We need to escape HTML in metadata passed from Django, which
    can lead to security issues. Refer to the bug for more details.

    Co-Authored-By: Szymon Wroblewski <email address hidden>
    Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
    Closes-bug: #1449260
    (cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)