[OSSA 2014-027] Persistent XSS in the Host Aggregates interface (CVE-2014-3594)

Bug #1349491 reported by Tristan Cacqueray on 2014-07-28
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Medium
Julie Pichon
Havana
Medium
Julie Pichon
Icehouse
Medium
Julie Pichon
OpenStack Security Advisory
Medium
Tristan Cacqueray

Bug Description

Received 2014-07-28 18:08:47 +0200 via encrypted E-mail from "Dennis Felsch <email address hidden>":

Hi everyone,

We spotted an issue with Horizon in OpenStack Icehouse and the current
development version of Juno (older versions not tested):

The interface for Host Aggregates is vulnerable to persistent XSS.

Steps to reproduce the issue:

 * Log into Horizon as admin
 * Go to "Host Aggregates"
 * Create a new host aggregate
 * Enter some name and an availability zone like this: <svg onload=alert(1)>
 * Save
 * See alert pop up

Because we are researchers, we are happy to help you, whenever we can.
However, from the research point of view, it would be really nice to get
some acknowledgment on your site about this issue. Is something
like this possible?

The people working on this are:
Dennis Felsch (me), <email address hidden>
Mario Heiderich, <email address hidden>

Please let me know if you need more info.

Greetings,
Dennis

CVE References

Changed in ossa:
status: New → Incomplete
importance: Undecided → High
Julie Pichon (jpichon) wrote :

Thank you for the bug report. I just reproduced on the master branch.

This is happening for the AZ name in the metadata column. This is caused by horizon using the 'unordered_list' django filter outside the context of a template, causing autoescaping not to be switched on and the input not to be sanitised. A quick check suggests this is the only file in the codebase where we're using this filter.

With regard to the impact, I think it is limited because only admins are allowed to create host aggregates and availability zones.

As indicated in the description Icehouse is likely affected too. The aggregates panel didn't exist in Havana. In Havana though, the 'unordered_list' filter was used when displaying availability zones in the System Info admin panel (read-only from the dashboard at the time). I'll test and backport the fix there too just to be safe.

Changed in horizon:
assignee: nobody → Julie Pichon (jpichon)
importance: Undecided → Medium
status: New → Triaged
milestone: none → juno-3
Julie Pichon (jpichon) wrote :

Here's a proposed patch for the issue. It also applies cleanly on icehouse (where I was able to reproduce the problem), I'll provide a havana version later on.

It's the second time we get bitten by the way we use filters in python files (cf. bug 1320235), after a solution for this gets merged I'll look into refactoring the solutions so they're more reusable. Maybe in a horizon/tables/filters.py file for filters known to be problematic, or introspecting for an autoescape argument so that might be too costly performance-wise...

Changed in ossa:
status: Incomplete → Confirmed
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)

@Julie Thanks for the quick patch and severity analysis!

Here is the impact description draft #1:

Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A malicious administrator may conduct a persistent XSS attack by registering a malicious host aggregate in Horizon Host Aggregate interface. Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected.

Changed in ossa:
importance: High → Medium
Thierry Carrez (ttx) wrote :

One question here is wheter there is such a thing as a "malicious administrator", and if that vulnerability really elevates privileges or gives the attacker information/rights he can't otherwise access. My understanding is that the admin user already has access to most of the assets mentioned ? Is this vulnerability giving him any extra access ? Like being able to impersonate users by stealing their creds ?

Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx) wrote :

<tristanC> Does stealing other admin access isn't a concern ? You can get lateral escalation no ?
<ttx> hmm, yeah, I like that
<ttx> would defeat auditing
<ttx> OK, I buy it

So let's do an OSSA here to be sure.

Julie Pichon (jpichon) wrote :

Here's the Havana patch, tested on a DevStack system. It's more of a "patch recreation" than backport because the affected file on master didn't exist during Havana, but the patch is easy enough to follow anyway.

Thierry Carrez (ttx) wrote :

@horizon-core please review the proposed patch

Lin Hua Cheng (lin-hua-cheng) wrote :

Patch in #6 looks good to me.

Thanks Julie!

Here is impact description draft #2:

Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A malicious administrator may conduct a persistent XSS attack by registering a malicious host aggregate in Horizon Host Aggregate interface. Once executed in a legitimate context this attack may reveal another admin token resulting in a lateral privilege escalation. All Horizon setups are affected.

Thierry Carrez (ttx) wrote :

Looks good, minor nitpick:

"may reveal another admin token resulting" ->
"may reveal another admin token, potentially resulting"

CVE have been requested with this impact description:

Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum reported a persistent XSS in Horizon. A malicious administrator may conduct a persistent XSS attack by registering a malicious host aggregate in Horizon Host Aggregate interface. Once executed in a legitimate context this attack may reveal another admin token, potentially resulting in a lateral privilege escalation. All Horizon setups are affected.

Jeremy Stanley (fungi) on 2014-08-13
summary: - Persistent XSS in the Host Aggregates interface
+ Persistent XSS in the Host Aggregates interface (CVE-2014-3594)

Looks like this should be...

Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.2

...since 2014.1.2 was released a week ago and doesn't contain a fix as far as I can tell.

@fungi Thanks!

The pre-OSSA have been sent, Proposed public disclosure date/time:
2014-08-19, 1500UTC

Changed in ossa:
status: Triaged → In Progress
Thierry Carrez (ttx) on 2014-08-18
Changed in ossa:
status: In Progress → Fix Committed
information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/115310

Changed in horizon:
status: Triaged → In Progress
summary: - Persistent XSS in the Host Aggregates interface (CVE-2014-3594)
+ [OSSA 2014-027] Persistent XSS in the Host Aggregates interface
+ (CVE-2014-3594)

Reviewed: https://review.openstack.org/115310
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ba2c98aea0db0d03200c811b86b3efe8367f3905
Submitter: Jenkins
Branch: master

commit ba2c98aea0db0d03200c811b86b3efe8367f3905
Author: Julie Pichon <email address hidden>
Date: Tue Jul 29 16:17:44 2014 +0100

    Fix XSS issue with the unordered_list filter

    When using the unordered_list filter in a Horizon table (as opposed to
    a template directly), autoescaping is not set by default and the input
    wasn't sanitised.

    Closes-Bug: #1349491
    Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec

Changed in horizon:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/115311
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ba908ae88d5925f4f6783eb234cc4ea95017472b
Submitter: Jenkins
Branch: stable/icehouse

commit ba908ae88d5925f4f6783eb234cc4ea95017472b
Author: Julie Pichon <email address hidden>
Date: Tue Jul 29 16:17:44 2014 +0100

    Fix XSS issue with the unordered_list filter

    When using the unordered_list filter in a Horizon table (as opposed to
    a template directly), autoescaping is not set by default and the input
    wasn't sanitised.

    Closes-Bug: #1349491
    Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec

Reviewed: https://review.openstack.org/115313
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=96c6cdaa084857b82b9681378d5d3a6a4732015e
Submitter: Jenkins
Branch: stable/havana

commit 96c6cdaa084857b82b9681378d5d3a6a4732015e
Author: Julie Pichon <email address hidden>
Date: Thu Aug 7 12:01:56 2014 +0100

    Fix XSS issue with the unordered_list filter

    When using the unordered_list filter in a Horizon table (as opposed to
    a template directly), autoescaping is not set by default and the input
    wasn't sanitised.

    Closes-Bug: #1349491
    Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec

Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-09-04
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in horizon:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers