Bug 1849141 (CVE-2020-8184)

Summary: CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, bmidwood, btotty, dbecker, dmetzger, gmccullo, gp, gtanzill, hhudgeon, hvyas, jaruga, jfrey, jhardy, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mmccune, mo, nmoumoul, obarenbo, puebele, rchan, rhel8-maint, rhos-maint, rjerrido, roliveri, ruby-packagers-sig, sclewis, simaishi, slinaber, smallamp, sokeeffe, steve.traylen, strzibny, vondruch, xlecauch
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: rubygem-rack 2.1.4, rubygem-rack 2.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-rack. An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application. The highest threat from this vulnerability is to data integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 14:21:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1849143, 1839028, 1849142, 1849674, 1849845, 1850911, 1910700    
Bug Blocks: 1849144    

Description Guilherme de Almeida Suckevicz 2020-06-19 16:54:45 UTC
An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application.


Comment 1 Guilherme de Almeida Suckevicz 2020-06-19 16:55:13 UTC
Created rubygem-rack tracking bugs for this issue:

Affects: epel-all [bug 1849143]
Affects: fedora-all [bug 1849142]

Comment 2 Yadnyawalk Tale 2020-06-22 04:21:01 UTC
External References:


Comment 3 Yadnyawalk Tale 2020-06-22 07:26:02 UTC
* HackerOne report: https://hackerone.com/reports/895727
* Cookie RFC: https://www.ietf.org/rfc/rfc2965.txt
* Initial idea of Magic-cookies aka cookie prefixes: https://textslashplain.com/2015/10/09/duct-tape-and-baling-wirecookie-prefixes/
* Idea to proposal; allowed prefix pattern: https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3

   Set-Cookie: __Secure-SID=12345; Secure; Domain=example.com
   Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/

The flaw in Rack allows __%48ost- or __%53ecure- or custom cookie to be set without HTTPS/root domain/secure page flag. With this escape, an attacker could set this cookie from a subdomain and have it apply to the root domain.

Comment 4 Yadnyawalk Tale 2020-06-22 07:27:03 UTC
Upstream fix: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c

Comment 15 Sage McTaggart 2020-06-30 14:21:35 UTC

Because Red Hat OpenStack Platform 13.0 Operational Tools packages ships the flawed code, but does not use its functionality, its Impact has been reduced to 'Low'.

Red Hat Satellite 6 and Red Hat CloudForms ship affected RubyGem Rack, however, since overwriting cookies is not possible products are not vulnerable to the flaw. We may update the Rack dependency in a future releases. 

Red Hat Gluster Storage 3 ships RubyGem Rack, but the version shipped does not contain the affected code. Therefore, it is impossible to overwrite cookies using this particular flaw.

Comment 16 errata-xmlrpc 2020-10-27 12:57:23 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366

Comment 17 Product Security DevOps Team 2020-10-27 14:21:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):