CVE-2015-3155 - The _session_id cookie is issued without the Secure flag
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1215622
Description of problem:
Strategic customer has run penetration test as part of preparation for PCI-DSS audit.
One of issues found is next one:
SSL Cookie Without Secure Flag Set
If the secure flag is set on a cookie, then browser will not submit the cookie in any request
that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially
intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the
cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this event by feeding a user suitable link, either
directly or via another web site.
In Red Hat Satellite 6, the _session_id cookie is set without the Secure flag:
_session_id=; path=/; HttpOnly
The secure flag should be set on all cookies that are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS should employ their own session handling
mechanism, and the session tokens used should never be transmitted over unencrypted
#3 Updated by Dominic Cleal about 4 years ago
- Category set to Security
Please do not copy security related tickets to Redmine, the correct course of action is to report them to the foreman-security mailing list/team, see http://theforeman.org/security.html.
This has been reported there and we're looking into it.
#4 Updated by Dominic Cleal about 4 years ago
I can reproduce this on recent nightly builds and default installation.
If I access http://foreman.example.com/, the server does NOT set a session cookie, then redirects the request to https://foreman.example.com/. The request to https://foreman.example.com/ sets the _session_id cookie with HttpOnly and no secure flag, then redirects the request to https://foreman.example.com/users/login.
It seems that any subsequent HTTP request, e.g. a user trying to return to the application by visiting http://foreman.example.com/ rather than https:// will result in the session cookie going over the wire under HTTP. The initial access to Foreman doesn't appear to send it over HTTP at any point.
Our older fixes for session fixation problems under CVE-2014-0090 don't really help mitigate this new issue, as the privileged session ID can be leaked over an HTTP request.
In Foreman 1.8, there is an additional "timezone" cookie that is also set without the secure or HttpOnly flags, but only contains a string such as "Europe/London".
Both extra cookies would have negligible impact from a leak I think, but if the HTTP response could be intercepted and a different value set, it could cause a minor inconvenience for the user.
#5 Updated by Dominic Cleal about 4 years ago
- Subject changed from The _session_id cookie is issued without the Secure flag to CVE-2015-3155 - The _session_id cookie is issued without the Secure flag
- Private changed from Yes to No
CVE-2015-3155 has been assigned for this issue, which is now unembargoed.