Bug #10275

CVE-2015-3155 - The _session_id cookie is issued without the Secure flag

Added by Ori Rabin over 2 years ago. Updated over 2 years ago.

Status:Closed
Priority:Normal
Assigned To:Shlomi Zadok
Category:Security
Target version:-
Difficulty: Bugzilla link:1215622
Found in release: Pull request:https://github.com/theforeman/foreman/pull/2328
Story points-
Velocity based estimate-
Release1.8.1Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1215622
Description of problem:

Strategic customer has run penetration test as part of preparation for PCI-DSS audit.

One of issues found is next one:

==============================================
SSL Cookie Without Secure Flag Set
Risk: Medium

Abstract
If the secure flag is set on a cookie, then browser will not submit the cookie in any request
that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially
intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the
cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this event by feeding a user suitable link, either
directly or via another web site.

Specific Findings
In Red Hat Satellite 6, the _session_id cookie is set without the Secure flag:

_session_id=; path=/; HttpOnly

Remedy
The secure flag should be set on all cookies that are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS should employ their own session handling
mechanism, and the session tokens used should never be transmitted over unencrypted
communications.


Related issues

Related to Foreman - Bug #10510: "Invalid authenticity token" after login Closed 05/14/2015
Related to Foreman - Bug #11352: Foreman 1.7.5 CVE-2015-3155 - The _session_id cookie is i... Rejected 08/14/2015

Associated revisions

Revision 0b03b9bd
Added by Shlomi Zadok over 2 years ago

fixes #10275 - Add secure cookie when in ssl (CVE-2015-3155)

History

#2 Updated by Ohad Levy over 2 years ago

  • Private changed from No to Yes

#3 Updated by Dominic Cleal over 2 years ago

  • Category set to Security

Please do not copy security related tickets to Redmine, the correct course of action is to report them to the foreman-security mailing list/team, see http://theforeman.org/security.html.

This has been reported there and we're looking into it.

#4 Updated by Dominic Cleal over 2 years ago

I can reproduce this on recent nightly builds and default installation.

If I access http://foreman.example.com/, the server does NOT set a session cookie, then redirects the request to https://foreman.example.com/. The request to https://foreman.example.com/ sets the _session_id cookie with HttpOnly and no secure flag, then redirects the request to https://foreman.example.com/users/login.

It seems that any subsequent HTTP request, e.g. a user trying to return to the application by visiting http://foreman.example.com/ rather than https:// will result in the session cookie going over the wire under HTTP. The initial access to Foreman doesn't appear to send it over HTTP at any point.

Our older fixes for session fixation problems under CVE-2014-0090 don't really help mitigate this new issue, as the privileged session ID can be leaked over an HTTP request.

In Foreman 1.8, there is an additional "timezone" cookie that is also set without the secure or HttpOnly flags, but only contains a string such as "Europe/London".

In all versions, a _ForemanSelectedhosts cookie can be set by ticking some checkboxes in the UI host list. This contains a JSON array of host IDs that the user has selected. It's set from JavaScript rather than the HTTP request, and does not have the secure flag.

Both extra cookies would have negligible impact from a leak I think, but if the HTTP response could be intercepted and a different value set, it could cause a minor inconvenience for the user.

#5 Updated by Dominic Cleal over 2 years ago

  • Subject changed from The _session_id cookie is issued without the Secure flag to CVE-2015-3155 - The _session_id cookie is issued without the Secure flag
  • Private changed from Yes to No

CVE-2015-3155 has been assigned for this issue, which is now unembargoed.

#6 Updated by Dominic Cleal over 2 years ago

  • Release set to 1.8.1

#7 Updated by Shlomi Zadok over 2 years ago

  • Assigned To set to Shlomi Zadok

#8 Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2328 added

#9 Updated by Shlomi Zadok over 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#10 Updated by Dominic Cleal over 2 years ago

  • Related to Bug #10510: "Invalid authenticity token" after login added

#11 Updated by Dominic Cleal about 2 years ago

  • Related to Bug #11352: Foreman 1.7.5 CVE-2015-3155 - The _session_id cookie is issued without the Secure flag added

Also available in: Atom PDF