Configure Horizon to mitigate BREACH/CRIME attacks

Bug #1209250 reported by Robert Clark on 2013-08-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Notes
Undecided
Robert Clark

Bug Description

Gabriel Hurley wrote:
> Many of you have probably heard about the "BREACH" attack/security vulnerability in HTTPS traffic that was disclosed recently, and I'd like to take a moment to provide some info about how that affects Horizon. I'm not following the official vulnerability management process because 1. The vulnerability is already disclosed publicly, 2. Workaround information has already been published by Django and many others, and 3. There's no one-off code fix on our end so awareness is the best possible thing.

Agree that there is nothing to patch in our code at this point and therefore no base for an OpenStack Security Advisory (OSSA). The information you provided would still make a great OpenStack Security Note (OSSN), though. Those are issued by the OpenStack Security Group, I CC-ed Rob Clark so that he puts it on his radar.

Thanks!

--
Thierry Carrez (ttx)

Changed in ossn:
status: New → Confirmed

Rob .. here is some suggested wording for an OSSN:

The BREACH attack (http://breachattack.com/) may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is build on the Django framework and consequently affected. There is no Horizon patch but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS. Essentially, compression output length is used to decipher secrets within the response., secrets that typically are a part of both the request and response such as session cookies, authentication tokens etc.For more details read the BREACH paper at http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf.

Based on how your application is deployed, Django suggests the following defense strategies:

1. Disabling Django's GZip middleware.

2. Disabling GZip compression in your web server's config. For example, if you're using Apache you'd want to disable mod_deflate; in nginx you'd disable the gzip module.

Additionally, you should make sure you disable TLS compression by adjusting your server's SSL ciphers.

Django plans to address BREACH with a patch, which will be wrapped once available in Horizon's next release cycle.

Robert Clark (robert-clark) wrote :

Configure Horizon to mitigate BREACH/CRIME attacks
-----

### Summary ###
In it's default configuration Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks.

### Affected Services / Software ###
Horizon, Django, Apache, NGinx,

### Discussion ###
The BREACH attack may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is build on the Django framework and consequently affected. There is no Horizon patch but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.

### Recommended Actions ###
Disable Django's GZIP Middleware https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip
Disable GZip compression in your web server's config:

Apache: Disable mod_deflate - http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
Nginx: Disable the gzip module - http://wiki.nginx.org/HttpGzipModule

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1209250
Django advice on BREACH : https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
More info on BREACH : http://breachattack.com/
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Robert Clark (robert-clark) wrote :

Posted to the OpenStack ML 19-9-13

Changed in ossn:
status: Confirmed → Fix Released
Changed in ossn:
assignee: nobody → Robert Clark (robert-clark)
Rick Bartra (rb560u) wrote :

Until django releases an official patch for the BREACH vulnerability, I think we should take a look at django-debreach. The django-debreach package provides some, possible enough, protection against a BREACH attack. Its integration to Horizon is quite simple by following the configuration found here: https://pypi.python.org/pypi/django-debreach

If this is a desired possible solution against BREACH, I can submit either a patch or blueprint for incorporating django-debreach into Horizon.

Omar Rivera (gomarivera) wrote :

seems like django community has been hanging on to the change for a while.
https://code.djangoproject.com/ticket/20869

Rick Bartra (rb560u) wrote :

Here is my proposed change to implement django-debreach:
https://review.openstack.org/#/c/247838/

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.