← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1552994] Re: [FG-VD-16-013] Openstack Dashboard DoS Vulnerability Notification

 

Unless instructions are provided as to how to reproduce this, it's class
E. Since this report is already public, I've switched our advisory
status accordingly. If new evidence is presented that there is any
actual risk here, we can revisit the report at that time.

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1552994

Title:
  [FG-VD-16-013] Openstack Dashboard DoS Vulnerability Notification

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  Vulnerability Notification
  March 3, 2016
  Tracking Case #: FG-VD-16-013

  Dear Openstack,

  The following information pertains to information discovered by
  Fortinet's FortiGuard Labs. It has been determined that a
  vulnerability exists in Openstack Dashboard module.  To streamline the
  disclosure process, we have created a preliminary advisory which you
  can find below. This upcoming advisory is purely intended as a
  reference, and does not contain sensitive information such as proof of
  concept code.

  As a mature corporation involved in security research, we strive to
  responsibly disclose vulnerability information. We will not post an
  advisory until we determine it is appropriate to do so in co-
  ordination with the vendor unless a resolution cannot be reached. We
  will not disclose full proof of concept, only details relevant to the
  advisory.

  We look forward to working closely with you to resolve this issue, and
  kindly ask for your co-operation during this time. Please let us know
  if you have any further questions, and we will promptly respond to
  address any issues.

  If this message is not encrypted, it is because we could not find your
  key to do so. If you have one available for use, please notify us and
  we will ensure that this is used in future correspondence. We ask you
  use our public PGP key to encrypt and communicate any sensitive
  information with us. You may find the key on our FortiGuard center at:
  http://www.fortiguard.com/pgp_key.html.

  Type of Vulnerability & Repercussions:
    DoS

  Affected Software:
    Ubuntu 14.04.3 with latest repository installed
    # apt-get install software-properties-common
    # add-apt-repository cloud-archive:liberty

  Upcoming Advisory Reference:
    http://www.fortiguard.com/advisory/UpcomingAdvisories.html

  Credits:
    This vulnerability was discovered by Fortinet's FortiGuard Labs.

  Proof of Concept/How to Reproduce:
    1. Sign in Dashboard with a non-admin user credential in Chrome or Firefox, for example the user demo.
    2. Create a new tab in browser and open the PoC force_logout.html which can be hosted on any website.
    3. In Dashboard, when the currently logged-on user clicks any link, he/she is forced to logout with a hint "Unauthorized. Please try logging in again.". When he/she signs in Dashboard again and clicks any link, he/she is again forced to logout with the same hint.
    4. This is caused by the PoC force_logout.html which periodly accesses an invalid link "http://10.0.0.11/horizon/identity/users/12345678901234567890123456789011/detail/";. Please note the user id in the link is fake. When accessing it, the non-admin user is forced to logout because the response of the invalid link request contains a "sessionid" clear action which can result in DoS in the same browser.

   Notes:
       1) Tested the PoC force_logout.html successfully in Chrome and Firefox.
       2) Replace the IP 10.0.0.11 with your real Openstack control node IP in force_logout.html.

   Additional Information:

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1552994/+subscriptions