Bug 1092875 (CVE-2014-0197)

Summary: CVE-2014-0197 CFME: CSRF protection vulnerability in referrer header
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apatters, bdunne, dajohnso, dclarizi, gmccullo, jfrey, jrafanie, jrusnack, kseifried, mfeifer, mpovolny, obarenbo, security-response-team, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-12 21:24:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1142451, 1142452    
Bug Blocks: 1092876    

Description Kurt Seifried 2014-04-30 07:31:16 UTC 
Jan Rusnacko of Red Hat reports:

currently CSRF protection of CFME is based on checking the referer header.
Implementation of the check is not strict enough and permits attacker CSRF in
certain scenarios. Assuming CFME is running on cfme.host and client's browser
sent referer without a full path during authentication, attacker can mount CSRF
from domain cfme.host.evil.com, which will bypass CSRF referer check.

Code in the request_referer_service.rb contains following:

class RequestRefererService
  def referer_valid?(referer, string_to_test)
    referer.to_s.starts_with?(string_to_test)
  end
end

This check only makes sure that referer starts with string_to_test, with the
assumption that it is FQDN of CFME host. String to test is set in
DashboardController in authenticate action:

538:         session['referer'] = request.referer.sub(/\?.*/,'')

When user first authenticates, CFME saves the referer. Login form, from which
user fires off authenticate request, is located at the root, so referer should
contain URL in form "https://cfme.host/". This is stripped from any parameters
and saved to session['referer'], which will again contain "https://cfme.host/"
for the rest of the session. Any subsequent user requests must include referer
starting with "https://cfme.host/".

Sending referer header raises privacy concerns. To mitigate them, referer sent
by the client may not include full URL, but only protocol+hostname instead of
full path. This is exactly idea behind original proposal of Origin header (for
details see [1]). Stripping full URL to hostname (or just domain) can be
achieved by for example by Referer Control addon to Firefox, or perhaps
implemented at network level as a part of company security policy.

If the client sends authenticate request without trailing "/", then
session['referer'] will contain something like "https://cfme.host", or just
"cfme.host", and attacker can simply mount CSRF from "cfme.host.evil.com" and
pass the check.

This attack on broken Referer check implementation is described in OWASP CSRF
prevention cheat sheet [2].

Thank you.

[1] http://seclab.stanford.edu/websec/csrf/csrf.pdf
[2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Checking_The_Referer_Header
Comment 1 Martin Povolny 2014-04-30 09:13:15 UTC 
proposed upstream fix: https://github.com/ManageIQ/cfme/pull/2179
Comment 2 Kurt Seifried 2014-04-30 17:52:07 UTC 
This is public now: https://github.com/ManageIQ/cfme/pull/2179
Comment 3 Martin Povolny 2014-04-30 19:57:26 UTC 
The above is not "public". It's a private repo.
Comment 6 Kurt Seifried 2015-01-12 21:21:51 UTC 
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html