OpenStack Compute (nova)

novncproxy open redirect

Bug #1988302 reported by Valery Tschopp on 2022-08-31

This bug report is a duplicate of: Bug #1927677: [OSSA-2021-002] Open Redirect in noVNC proxy (CVE-2021-3654). Edit Remove

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	New	Undecided	Unassigned
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned

Bug Description

Security Issue
==============

We have found an open redirect vulnerability in Nova novncproxy

Impact
======

- Attackers can serve malicious websites that steal passwords or download ransomware to their victims' machines due to a redirect and there are a heap of other attack vectors.
- Attackers may be able to use this to execute believable phishing attacks, bypass authentication, or (in rare circumstances) violate CSRF mitigations.

Steps to Reproduce
==================

Simple curl the below url and it will redirect to google.com

http://nova-novncproxy:6080////google.com/%2f%2e%2e

Example
=======

$ curl "http://nova-novncproxy:6080////google.com/%2f.." -v
* Trying 10.X.Y.Z...
* TCP_NODELAY set
* Connected to nova-novncproxy (10.X.Y.Z) port 6080 (#0)
> GET ////google.com/%2f.. HTTP/1.1
> Host: nova-novncproxy:6080
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: WebSockify Python/3.6.9
< Date: Wed, 31 Aug 2022 11:59:29 GMT
< Location: //google.com/%2f../

Reference
=========

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

See original description

Revision history for this message

Jeremy Stanley (fungi) wrote on 2022-08-31:

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

This report sounds strikingly similar to "OSSA-2021-002: Open Redirect in noVNC proxy" which we published in July of last year. What version of Nova did you encounter the problem in?

https://security.openstack.org/ossa/OSSA-2021-002.html

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Valery Tschopp (valery-tschopp) wrote on 2022-08-31:

We are using a Train version of Nova, installed on Ubuntu Bionic 18.04 :

python3-nova/now 2:20.6.0-0ubuntu1~cloud1 all [installed,local]
nova-novncproxy/now 2:20.6.0-0ubuntu1~cloud1 all [installed,local]

And you are right "OSSA-2021-002: Open Redirect in noVNC proxy" is the description of the issue.

Is a patched package available for Ubuntu Bionic 18.04 ?

Revision history for this message

Jeremy Stanley (fungi) wrote on 2022-08-31:

That would be a question for the Ubuntu package maintainers, but we did publish backports to the stable/train branch for that advisory and its errata.

Thanks for confirming this is the same issue, I'll switch this report to public and mark it as a duplicate of bug 1927677.

information type:	Private Security → Public Security
description:	updated

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1927677 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.