Bug 1813439 (CVE-2020-10108)

Summary: CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, bmontgom, btotty, dbecker, dominik.mierzejewski, eparis, hhudgeon, hvyas, jburrell, jjoyce, jokerman, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, mmccune, nstielau, python-maint, python-sig, rchan, rhos-maint, rjerrido, rschiron, sclewis, slinaber, sokeeffe, sponnaga, tvignaud, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: twisted 20.3.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests, accepting requests with more than one Content-Length header. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-23 16:31:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1813440, 1813441, 1813442, 1818675, 1818676, 1818680, 1819267, 1819268, 1819269, 1821412, 1821413, 1821414, 1823598, 1825803    
Bug Blocks: 1813453    

Description Guilherme de Almeida Suckevicz 2020-03-13 19:57:29 UTC
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Reference:
https://know.bishopfox.com/advisories/twisted-version-19.10.0

Comment 1 Guilherme de Almeida Suckevicz 2020-03-13 19:58:00 UTC
Created python-twisted tracking bugs for this issue:

Affects: epel-8 [bug 1813442]
Affects: fedora-all [bug 1813441]
Affects: openstack-rdo [bug 1813440]

Comment 2 Summer Long 2020-03-24 04:50:09 UTC
External References:

https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

Comment 6 Riccardo Schirone 2020-03-30 14:41:36 UTC
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.

Comment 8 Riccardo Schirone 2020-03-30 15:21:52 UTC
Function headerReceived() in http.py does not check whether a previous Content-Length header was already parsed, so when an attacker specifies two times the Content-Length, only the last one would be considered. However this is not the right behaviour according to RFC7230, so it can result in an HTTP request smuggling attack in case a proxy/firewall or another not-vulnerable component is placed before/after twisted.

Comment 10 Riccardo Schirone 2020-03-31 15:10:31 UTC
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.

Comment 11 Riccardo Schirone 2020-03-31 15:16:21 UTC
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.

Comment 12 Riccardo Schirone 2020-03-31 15:19:58 UTC
Mitigation:

When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.

Comment 24 errata-xmlrpc 2020-04-23 14:12:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561

Comment 25 Product Security DevOps Team 2020-04-23 16:31:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10108

Comment 26 errata-xmlrpc 2020-04-29 09:45:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1962 https://access.redhat.com/errata/RHSA-2020:1962

Comment 27 Summer Long 2020-12-18 01:47:13 UTC
Statement:

OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used.

Red Hat OpenStack Platform packages the flawed code, however python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package.

Red Hat Satellite uses affected versions of `python-twisted` and  `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future.

This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.