** Changed in: nova Status: Fix Committed => Fix Released ** Changed in: nova Milestone: None => kilo-3
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1409142 Title: [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: Fix Released Status in OpenStack Compute (nova) juno series: Fix Committed Status in OpenStack Security Advisories: Fix Released Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments. OpenStack Vulnerability Team: Brian Manifold (bmani...@cisco.com) from Cisco has discovered a vulnerability in the Nova VNC server implementation. We have a patch for this vulnerability and consider this a very high risk. Please email Dave McCowan (dmcco...@cisco.com) for more details on the attached patch. Issue Details: Horizon uses a VNC client which uses websockets to pass information. The Nova VNC server does not validate the origin of the websocket request, which allows an attacker to make a websocket request from another domain. If the victim opens both an attacker's site and the VNC console simultaneously, or if the victim has recently been using the VNC console and then visits the attacker's site, the attacker can make a websocket request to the Horizon domain and proxy the connection to another destination. This gives the attacker full read-write access to the VNC console of any instance recently accessed by the victim. Recommendation: Verify the origin field in request header on all websocket requests. Threat: CWE-345 * Insufficient Verification of Data Authenticity -- The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. CWE-346 * Origin Validation Error -- The software does not properly verify that the source of data or communication is valid. CWE-441 * Unintended Proxy or Intermediary ('Confused Deputy') -- The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. Steps to reproduce: 1. Login to horizon 2. Pick an instance, go to console/vnc tab, wait for console to be loaded 3. In another browser tab or window, load a VNC console script from local disk or remote site 4. Point the newly loaded VNC console to the VNC server and a connection is made Result: The original connection has been been hijacked by the second connection Root cause: Cross-Site WebSocket Hijacking is concept that has been written about in various security blogs. One of the recommended countermeasures is to check the Origin header of the WebSocket handshake request. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1409142/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp