Adding OSSN-0017 - Session-fixation vulnerability in Horizon when using the default signed cookie sessions
OSSN-0017 describes an issue where the default setting in Horizon causes client side cookies to be used. This allows an attacker who is able to capture a user's cookie to perform any action as that user, even after that user has logged out. Related-Bug: #1327425 Change-Id: I74bf8f308227c8adafc719474bec6f8cd1db2601
This commit is contained in:
parent
5f5202470c
commit
e34b5c292b
|
@ -0,0 +1,96 @@
|
||||||
|
Session-fixation vulnerability in Horizon when using the default signed cookie sessions
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
The default setting in Horizon is to use signed cookies to store
|
||||||
|
session state on the client side. This creates the possibility that if
|
||||||
|
an attacker is able to capture a user's cookie, they may perform all
|
||||||
|
actions as that user, even if the user has logged out.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Horizon, Folsom, Grizzly, Havana, Icehouse
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
When configured to use client side sessions, the server isn't aware
|
||||||
|
of the user's login state. The OpenStack authorization tokens are
|
||||||
|
stored in the session ID in the cookie. If an attacker can steal the
|
||||||
|
cookie, they can perform all actions as the target user, even after the
|
||||||
|
user has logged out.
|
||||||
|
|
||||||
|
There are several ways attackers can steal the cookie. One example is
|
||||||
|
by intercepting it over the wire if Horizon is not configured to use
|
||||||
|
SSL. The attacker may also access the cookie from the filesystem if
|
||||||
|
they have access to the machine. There are also other ways to steal
|
||||||
|
cookies that are beyond the scope of this note.
|
||||||
|
|
||||||
|
By enabling a server side session tracking solution such as memcache,
|
||||||
|
the session is terminated when the user logs out. This prevents an
|
||||||
|
attacker from using cookies from terminated sessions.
|
||||||
|
|
||||||
|
It should be noted that Horizon does request that Keystone invalidate
|
||||||
|
the token upon user logout, but this has not been implemented for the
|
||||||
|
Identity API v3. Token invalidation may also fail if the Keystone
|
||||||
|
service is unavailable. Therefore, to ensure that sessions are not
|
||||||
|
usable after the user logs out, it is recommended to use server side
|
||||||
|
session tracking.
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
It is recommended that you configure Horizon to use a different session
|
||||||
|
backend rather than signed cookies. One possible alternative is to use
|
||||||
|
memcache sessions. To check if you are using signed cookies, look for
|
||||||
|
this line in Horizon's local_settings.py
|
||||||
|
|
||||||
|
--- begin example local_settings.py snippet ---
|
||||||
|
SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
|
||||||
|
--- end example local_settings.py snippet ---
|
||||||
|
|
||||||
|
If the SESSION_ENGINE is set to value other than
|
||||||
|
'django.contrib.sessions.backends.signed_cookies' this vulnerability
|
||||||
|
is not present. If SESSION_ENGINE is not set in local_settings.py,
|
||||||
|
check for it in settings.py.
|
||||||
|
|
||||||
|
Here are the steps to configure memcache sessions:
|
||||||
|
|
||||||
|
1. Ensure the memcached service is running on your system
|
||||||
|
2. Ensure that python-memcached is installed
|
||||||
|
3. Configure memcached cache backend in local_settings.py
|
||||||
|
|
||||||
|
--- begin example local_settings.py snippet ---
|
||||||
|
CACHES = {
|
||||||
|
'default': {
|
||||||
|
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
|
||||||
|
'LOCATION': '127.0.0.1:11211',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--- end example local_settings.py snippet ---
|
||||||
|
|
||||||
|
Make sure to use the actual IP and port of the memcached service.
|
||||||
|
|
||||||
|
4. Add a line in local_settings.py to use the cache backend:
|
||||||
|
|
||||||
|
--- begin example local_settings.py snippet ---
|
||||||
|
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
|
||||||
|
--- end example local_settings.py snippet ---
|
||||||
|
|
||||||
|
5. Restart Horizon's webserver service (typically 'apache2' or
|
||||||
|
httpd')
|
||||||
|
|
||||||
|
Furthermore, you should always enable SSL for Horizon to help mitigate
|
||||||
|
such attack scenarios.
|
||||||
|
|
||||||
|
Please note that regardless of which session backend is used, if the
|
||||||
|
cookie is compromised, an attacker may assume all privileges of the
|
||||||
|
user for as long as their session is valid.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0017
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1327425
|
||||||
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||||
|
Further discussion of the issue:
|
||||||
|
http://www.pabloendres.com/horizon-and-cookies/#comment-115
|
||||||
|
Django docs:
|
||||||
|
https://docs.djangoproject.com/en/1.6/ref/settings/
|
||||||
|
https://docs.djangoproject.com/en/1.6/topics/http/sessions/#configuring-sessions
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue