noVNC insecure cookie allows session hijacking
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
| OpenStack Security Notes |
Fix Released
|
Undecided
|
Paul McMillan | ||
Bug Description
This is a follow-on to https:/
The noVNC websocket token cookie is not set as secure-only. This is practically exploitable by an attacker who can read user traffic.
The setup is as follows:
Nova and horizon configured to serve from https. Nova is patched to resolve #1409142.
User is accessing the cloud through a man in the middle who controls all traffic to and from the user. [1]
user -> attacker -> cloud(https)
Here's what happens:
1) User logs into cloud securely via https:/
2) User securely accesses a server via websocket VNC and logs in. User (optionally) closes this window.
3) User opens a new browser tab to an insecure site (it can be any insecure site at all)
4) On receiving the request for the insecure site, the attacker fetches it from the source, and rewrites it to include an invisible attack iframe before serving it to the user. [2]
5) The attack iframe directs the user's browser to open http://
6) When the user's browser requests http://
7) The attacker now has access to the auth token used to open the VNC socket (since the most recent one is sent in a cookie), and can stay connected to that socket indefinitely in any browser.
A clever attacker will cycle the iframe contents repeatedly, and steal every VNC socket a user opens as the token cookies change, rather than just the most recent one. As long as the attacker stays connected to the socket, the connection stays open indefinitely.
Note that the above attack does not involve the user clicking through any TLS warnings, and does not involve them actively clicking phishing links or anything similar.
Fixing this is going to involve letting noVNC know when it is supposed to be behind TLS, and modifying cookie setting behavior accordingly. Django's documentation on this is a good starting place for a fairly standard approach to telling an application it is receiving HTTPS traffic:
https:/
-Paul
[1] As a practical aside, it is easy to become this mitm on most local network segments, so users who connect to any network with any untrusted users are vulnerable. An attacker who can only read user traffic (without the ability to block or modify it) can usually become a full mitm by spoofing DNS responses.
[2] the attacker can actually do this step at any point in the process, even before step 1.
| description: | updated |
| Jeremy Stanley (fungi) wrote | #1 |
| Changed in ossa: | |
| status: | New → Incomplete |
| description: | updated |
| Andrew Laski (alaski) wrote | #2 |
| Paul McMillan (paul-mcmillan) wrote | #3 |
| Jeremy Stanley (fungi) wrote | #4 |
| Jeremy Stanley (fungi) wrote | #5 |
| Paul McMillan (paul-mcmillan) wrote | #6 |
| Jeremy Stanley (fungi) wrote | #7 |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| description: | updated |
| Changed in nova: | |
| status: | New → Invalid |
| Tristan Cacqueray (tristan-cacqueray) wrote | #8 |
| Robert Clark (robert-clark) wrote | #9 |
| Paul McMillan (paul-mcmillan) wrote | #10 |
| Nathan Kinder (nkinder) wrote | #11 |
| information type: | Private Security → Public Security |
| Nathan Kinder (nkinder) wrote | #12 |
| Changed in ossn: | |
| assignee: | nobody → Paul McMillan (paul-mcmillan) |
| status: | New → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.