2015-01-09 22:01:30 |
Josh Kleinpeter |
bug |
|
|
added bug |
2015-01-09 22:01:30 |
Josh Kleinpeter |
attachment added |
|
Patch nova web proxy to check origin headers on web socket requests https://bugs.launchpad.net/bugs/1409142/+attachment/4294856/+files/de1754.against.master.diff |
|
2015-01-09 22:14:40 |
Jeremy Stanley |
description |
OpenStack Vulnerability Team:
Brian Manifold (bmanifol@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Please email Dave McCowan (dmccowan@cisco.com) for more details on the attached patch.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
OpenStack Vulnerability Team:
Brian Manifold (bmanifol@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Please email Dave McCowan (dmccowan@cisco.com) for more details on the attached patch.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request. |
|
2015-01-09 22:15:41 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
2015-01-09 22:15:51 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-01-09 22:15:58 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-01-12 15:37:41 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2015-01-15 14:20:47 |
Thierry Carrez |
ossa: importance |
Undecided |
Medium |
|
2015-01-24 17:45:34 |
Josh Kleinpeter |
bug |
|
|
added subscriber Dave McCowan |
2015-01-26 05:41:56 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305574/+files/1409142-master-kilo.patch |
|
2015-01-26 05:42:27 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305575/+files/1409142-stable-juno.patch |
|
2015-01-26 05:42:52 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305576/+files/1409142-stable-icehouse.patch |
|
2015-01-26 15:10:56 |
Thierry Carrez |
nominated for series |
|
nova/juno |
|
2015-01-26 15:10:56 |
Thierry Carrez |
bug task added |
|
nova/juno |
|
2015-01-26 15:10:56 |
Thierry Carrez |
nominated for series |
|
nova/kilo |
|
2015-01-26 15:10:56 |
Thierry Carrez |
bug task added |
|
nova/kilo |
|
2015-01-26 15:11:02 |
Thierry Carrez |
bug task deleted |
nova/kilo |
|
|
2015-01-26 15:11:13 |
Thierry Carrez |
nominated for series |
|
nova/icehouse |
|
2015-01-26 15:11:13 |
Thierry Carrez |
bug task added |
|
nova/icehouse |
|
2015-01-26 15:11:55 |
Thierry Carrez |
nova: status |
New |
In Progress |
|
2015-01-26 15:11:58 |
Thierry Carrez |
nova/icehouse: status |
New |
In Progress |
|
2015-01-26 15:12:01 |
Thierry Carrez |
nova/juno: status |
New |
In Progress |
|
2015-01-26 15:12:08 |
Thierry Carrez |
nova: importance |
Undecided |
High |
|
2015-01-26 15:12:10 |
Thierry Carrez |
nova/icehouse: importance |
Undecided |
High |
|
2015-01-26 15:12:12 |
Thierry Carrez |
nova/juno: importance |
Undecided |
High |
|
2015-01-26 23:43:08 |
Tristan Cacqueray |
ossa: status |
Confirmed |
In Progress |
|
2015-01-27 03:55:15 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305576/+files/1409142-stable-icehouse.patch |
|
|
2015-01-27 03:55:38 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305575/+files/1409142-stable-juno.patch |
|
|
2015-01-27 03:55:49 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4305574/+files/1409142-master-kilo.patch |
|
|
2015-01-27 03:56:34 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306212/+files/1409142-stable-icehouse.patch |
|
2015-01-27 03:57:05 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306213/+files/1409142-stable-juno.patch |
|
2015-01-27 03:57:34 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306214/+files/1409142-master-kilo.patch |
|
2015-02-06 16:36:47 |
Tristan Cacqueray |
summary |
Websocket Hijacking Vulnerability in Nova VNC Server |
Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) |
|
2015-02-06 16:36:55 |
Tristan Cacqueray |
cve linked |
|
2015-0259 |
|
2015-02-09 13:44:29 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-02-09 21:12:37 |
Grant Murphy |
bug |
|
|
added subscriber Paul McMillan |
2015-02-12 14:33:31 |
Thierry Carrez |
ossa: status |
Fix Committed |
In Progress |
|
2015-02-12 18:27:41 |
Dave McCowan |
bug |
|
|
added subscriber Loganathan Parthipan |
2015-02-13 18:05:07 |
Dave McCowan |
attachment added |
|
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4318908/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
2015-02-13 18:37:38 |
Dave McCowan |
attachment removed |
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4318908/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
|
2015-02-13 18:38:30 |
Dave McCowan |
attachment added |
|
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4318911/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
2015-02-16 15:07:56 |
Dave McCowan |
attachment added |
|
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320477/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
2015-02-17 05:08:02 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306212/+files/1409142-stable-icehouse.patch |
|
|
2015-02-17 05:08:18 |
Dave McCowan |
attachment removed |
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320477/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
|
2015-02-17 05:08:31 |
Dave McCowan |
attachment removed |
0001-Websocket-Proxy-should-verify-Origin-header.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4318911/+files/0001-Websocket-Proxy-should-verify-Origin-header.patch |
|
|
2015-02-17 05:08:43 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306214/+files/1409142-master-kilo.patch |
|
|
2015-02-17 05:08:55 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4306213/+files/1409142-stable-juno.patch |
|
|
2015-02-17 05:09:09 |
Dave McCowan |
attachment removed |
Patch nova web proxy to check origin headers on web socket requests https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4294856/+files/de1754.against.master.diff |
|
|
2015-02-17 05:09:52 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320783/+files/1409142-master-kilo.patch |
|
2015-02-17 05:10:20 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320784/+files/1409142-stable-juno.patch |
|
2015-02-17 05:10:43 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320785/+files/1409142-stable-icehouse.patch |
|
2015-02-17 15:16:46 |
Tristan Cacqueray |
bug |
|
|
added subscriber Alan Pevec |
2015-02-17 15:17:45 |
Tristan Cacqueray |
bug |
|
|
added subscriber Adam Gandelman |
2015-02-19 12:39:25 |
Tristan Cacqueray |
bug |
|
|
added subscriber Garth Mollett |
2015-02-19 23:00:39 |
Tristan Cacqueray |
bug |
|
|
added subscriber Thomas Goirand |
2015-02-25 16:39:03 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320783/+files/1409142-master-kilo.patch |
|
|
2015-02-25 16:39:17 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320784/+files/1409142-stable-juno.patch |
|
|
2015-02-25 16:39:38 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4320785/+files/1409142-stable-icehouse.patch |
|
|
2015-02-25 16:40:10 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327268/+files/1409142-master-kilo.patch |
|
2015-02-25 16:40:34 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327269/+files/1409142-stable-juno.patch |
|
2015-02-25 16:40:59 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327270/+files/1409142-stable-icehouse.patch |
|
2015-02-25 20:13:20 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327268/+files/1409142-master-kilo.patch |
|
|
2015-02-25 20:13:44 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327525/+files/1409142-master-kilo.patch |
|
2015-02-26 00:25:10 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327269/+files/1409142-stable-juno.patch |
|
|
2015-02-26 00:25:23 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327270/+files/1409142-stable-icehouse.patch |
|
|
2015-02-26 00:25:35 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327525/+files/1409142-master-kilo.patch |
|
|
2015-02-26 00:26:09 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327852/+files/1409142-master-kilo.patch |
|
2015-02-26 00:26:46 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327853/+files/1409142-stable-juno.patch |
|
2015-02-26 00:27:06 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327854/+files/1409142-stable-icehouse.patch |
|
2015-02-28 02:42:02 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327852/+files/1409142-master-kilo.patch |
|
|
2015-02-28 02:42:12 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327853/+files/1409142-stable-juno.patch |
|
|
2015-02-28 02:42:24 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4327854/+files/1409142-stable-icehouse.patch |
|
|
2015-02-28 02:43:05 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330159/+files/1409142-stable-icehouse.patch |
|
2015-02-28 02:43:35 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330160/+files/1409142-stable-juno.patch |
|
2015-02-28 14:21:34 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330524/+files/1409142-master-kilo.patch |
|
2015-03-02 15:46:20 |
Thomas Goirand |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778618 |
|
2015-03-02 20:03:36 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330524/+files/1409142-master-kilo.patch |
|
|
2015-03-02 20:04:48 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4332527/+files/1409142-master-kilo.patch |
|
2015-03-02 21:29:24 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4332527/+files/1409142-master-kilo.patch |
|
|
2015-03-02 21:29:50 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4332635/+files/1409142-master-kilo.patch |
|
2015-03-03 20:29:48 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4332635/+files/1409142-master-kilo.patch |
|
|
2015-03-03 20:30:39 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4333723/+files/1409142-master-kilo.patch |
|
2015-03-03 21:25:44 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330160/+files/1409142-stable-juno.patch |
|
|
2015-03-03 21:26:09 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4333741/+files/1409142-stable-juno.patch |
|
2015-03-03 23:03:50 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-03-06 19:57:44 |
Paul McMillan |
attachment added |
|
190.diff https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4336513/+files/190.diff |
|
2015-03-06 21:27:27 |
Dave McCowan |
attachment removed |
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4330159/+files/1409142-stable-icehouse.patch |
|
|
2015-03-06 21:27:37 |
Dave McCowan |
attachment removed |
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4333723/+files/1409142-master-kilo.patch |
|
|
2015-03-06 21:27:48 |
Dave McCowan |
attachment removed |
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4333741/+files/1409142-stable-juno.patch |
|
|
2015-03-06 21:28:12 |
Dave McCowan |
attachment added |
|
1409142-stable-icehouse.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4336569/+files/1409142-stable-icehouse.patch |
|
2015-03-06 21:28:32 |
Dave McCowan |
attachment added |
|
1409142-stable-juno.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4336570/+files/1409142-stable-juno.patch |
|
2015-03-06 21:28:51 |
Dave McCowan |
attachment added |
|
1409142-master-kilo.patch https://bugs.launchpad.net/nova/+bug/1409142/+attachment/4336571/+files/1409142-master-kilo.patch |
|
2015-03-10 14:59:33 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
2015-03-10 15:00:32 |
OpenStack Infra |
nova: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-03-10 15:01:29 |
OpenStack Infra |
nova/juno: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-03-10 15:02:02 |
OpenStack Infra |
nova/icehouse: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-03-10 15:03:47 |
Tristan Cacqueray |
summary |
Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) |
[OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) |
|
2015-03-10 15:30:05 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-03-11 09:41:13 |
Alan Pevec |
nova/icehouse: milestone |
|
2014.1.4 |
|
2015-03-11 14:46:50 |
OpenStack Infra |
nova: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Sylvain Bauza (sylvain-bauza) |
|
2015-03-11 20:45:49 |
OpenStack Infra |
nova: assignee |
Sylvain Bauza (sylvain-bauza) |
Dave McCowan (dave-mccowan) |
|
2015-03-11 22:03:39 |
OpenStack Infra |
nova/juno: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Dave McCowan (dave-mccowan) |
|
2015-03-11 22:25:14 |
OpenStack Infra |
nova/icehouse: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Dave McCowan (dave-mccowan) |
|
2015-03-12 02:41:07 |
OpenStack Infra |
nova: assignee |
Dave McCowan (dave-mccowan) |
Tony Breeds (o-tony) |
|
2015-03-12 04:09:01 |
OpenStack Infra |
nova: assignee |
Tony Breeds (o-tony) |
Dave McCowan (dave-mccowan) |
|
2015-03-12 15:31:14 |
OpenStack Infra |
nova: status |
In Progress |
Fix Committed |
|
2015-03-13 00:44:38 |
OpenStack Infra |
nova/icehouse: status |
In Progress |
Fix Committed |
|
2015-03-13 00:52:18 |
Alan Pevec |
nova/icehouse: status |
Fix Committed |
Fix Released |
|
2015-03-13 17:30:35 |
OpenStack Infra |
nova/juno: status |
In Progress |
Fix Committed |
|
2015-03-13 17:47:32 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2015-03-20 07:37:22 |
Thierry Carrez |
nova: status |
Fix Committed |
Fix Released |
|
2015-03-20 07:37:22 |
Thierry Carrez |
nova: milestone |
|
kilo-3 |
|
2015-04-09 18:52:36 |
Adam Gandelman |
nova/juno: milestone |
|
2014.2.3 |
|
2015-04-10 06:44:27 |
Adam Gandelman |
nova/juno: status |
Fix Committed |
Fix Released |
|
2015-04-14 21:23:57 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments.
OpenStack Vulnerability Team:
Brian Manifold (bmanifol@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Please email Dave McCowan (dmccowan@cisco.com) for more details on the attached patch.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request. |
OpenStack Vulnerability Team:
Brian Manifold (bmanifol@cisco.com) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.
Please email Dave McCowan (dmccowan@cisco.com) for more details on the attached patch.
Issue Details:
Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.
This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.
Recommendation:
Verify the origin field in request header on all websocket requests.
Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.
CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.
CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.
Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection
Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request. |
|
2015-04-30 09:21:37 |
Thierry Carrez |
nova: milestone |
kilo-3 |
2015.1.0 |
|