Bug 917091 – VUL-0: CVE-2015-0259: openstack-nova: Nova console Cross-Site WebSocket hijacking

Bug 917091 - (CVE-2015-0259) VUL-0: CVE-2015-0259: openstack-nova: Nova console Cross-Site WebSocket hijacking

(CVE-2015-0259)
Summary:	VUL-0: CVE-2015-0259: openstack-nova: Nova console Cross-Site WebSocket hijac...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2015-0259:4.9:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-10 10:53 UTC by Johannes Segitz
Modified:	2016-04-27 19:35 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Swamp Workflow Management 2015-02-10 23:00:14 UTC

bugbot adjusting priority

Comment 11 Marcus Meissner 2015-03-11 13:46:50 UTC

is public 

http://osdir.com/ml/general/2015-03/msg13853.html

Source: nova
Version: 2014.1.3-10
Severity: grave
Tags: security patch

Maintainer's message: below is the disclosed vulnerability for the Nova
VNC session highjack. I'm preparing an update right now.

Brian Manifold (bmanifol@xxxxxxxxx) from Cisco has discovered a
vulnerability in the Nova VNC server implementation. We have a patch for
this vulnerability and consider this a very high risk.

Issue Details:

Horizon uses a VNC client which uses websockets to pass information. The
Nova VNC server does not validate the origin of the websocket request,
which allows an attacker to make a websocket request from another domain.
If the victim opens both an attacker's site and the VNC console
simultaneously, or if the victim has recently been using the VNC console
and then visits the attacker's site, the attacker can make a websocket
request to the Horizon domain and proxy the connection to another
destination.

This gives the attacker full read-write access to the VNC console of any
instance recently accessed by the victim.

Recommendation:
Verify the origin field in request header on all websocket requests.

Threat:
CWE-345
* Insufficient Verification of Data Authenticity -- The software does not
sufficiently verify the origin or authenticity of data, in a way that
causes it to accept invalid data.

CWE-346
* Origin Validation Error -- The software does not properly verify that
the source of data or communication is valid.

CWE-441
* Unintended Proxy or Intermediary ('Confused Deputy') -- The software
receives a request, message, or directive from an upstream component, but
the software does not sufficiently preserve the original source of the
request before forwarding the request to an external actor that is outside
of the software's control sphere. This causes the software to appear to be
the source of the request, leading it to act as a proxy or other
intermediary between the upstream component and the external actor.

Steps to reproduce:
1. Login to horizon
2. Pick an instance, go to console/vnc tab, wait for console to be loaded
3. In another browser tab or window, load a VNC console script from local
disk or remote site
4. Point the newly loaded VNC console to the VNC server and a connection
is made
Result:
The original connection has been been hijacked by the second connection

Root cause:
Cross-Site WebSocket Hijacking is concept that has been written about in
various security blogs.
One of the recommended countermeasures is to check the Origin header of
the WebSocket handshake request.

Fix proposed to branch: master
Review: https://review.openstack.org/163033

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/163034

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/163035

Comment 13 Swamp Workflow Management 2015-10-01 14:10:27 UTC

SUSE-SU-2015:1666-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 915245,917091,920573,922751,926596,926773,927625,930574,931839,934523,944339
CVE References: 
Sources used:
SUSE OpenStack Cloud Compute 5 (src):    openstack-ceilometer-2014.2.4.dev18-3.2, openstack-neutron-2014.2.4~a0~dev78-7.2, openstack-nova-2014.2.4~a0~dev61-6.2, openstack-suse-2014.2-5.1

Comment 14 Vincent Untz 2015-10-12 09:33:43 UTC

This one is in S:M:945.

Comment 15 Swamp Workflow Management 2015-10-13 10:11:00 UTC

SUSE-RU-2015:1730-1: An update that solves one vulnerability and has 15 fixes is now available.

Category: recommended (moderate)
Bug References: 895594,915245,917091,917328,919963,922751,927625,928189,931043,931284,931839,934225,934523,934651,934688,937117
CVE References: CVE-2015-0259
Sources used:
SUSE OpenStack Cloud 5 (src):    crowbar-barclamp-ceilometer-1.9+git.1438201205.04a7436-9.8, crowbar-barclamp-cinder-1.9+git.1438200979.c385b03-10.8, crowbar-barclamp-hyperv-1.9+git.1432022529.1952009-10.8, crowbar-barclamp-keystone-1.9+git.1438197158.e32ec9e-10.7, crowbar-barclamp-neutron-1.9+git.1438265717.eb633ae-9.8, crowbar-barclamp-nova-1.9+git.1438201051.f8b5f34-9.8, openstack-neutron-2014.2.4~a0~dev78-13.4, openstack-neutron-doc-2014.2.4~a0~dev78-13.9, openstack-nova-2014.2.4~a0~dev61-11.4, openstack-nova-doc-2014.2.4~a0~dev61-11.4, openstack-resource-agents-1.0+git.1417010594.e813e10-9.2

Comment 16 Victor Pereira 2015-11-19 12:40:15 UTC

fixed and released