Bug 1193451 (CVE-2013-7436) - CVE-2013-7436 novnc: session hijack through insecurely set session token cookies
Summary: CVE-2013-7436 novnc: session hijack through insecurely set session token cookies
Keywords:
Status: NEW
Alias: CVE-2013-7436
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1193245 1193454 1203013 1203014 1203015 1203016
Blocks: 1193452
TreeView+ depends on / blocked
 
Reported: 2015-02-17 11:26 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
27 users (show)

Fixed In Version: noVNC 0.5.1
Doc Type: Bug Fix
Doc Text:
It was discovered that noVNC did not properly set the 'secure' flag when issuing cookies. An attacker could use this flaw to intercept cookies via a man-in-the-middle attack.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0788 normal SHIPPED_LIVE Moderate: novnc security update 2015-04-07 19:08:12 UTC
Red Hat Product Errata RHSA-2015:0833 normal SHIPPED_LIVE Moderate: novnc security update 2015-04-16 17:53:08 UTC
Red Hat Product Errata RHSA-2015:0834 normal SHIPPED_LIVE Moderate: novnc security update 2015-04-16 17:53:00 UTC
Red Hat Product Errata RHSA-2015:0884 normal SHIPPED_LIVE Moderate: novnc security update 2015-04-23 17:04:07 UTC

Description Vasyl Kaigorodov 2015-02-17 11:26:21 UTC
Paul McMillan reported that noVNC prior to this patch:
https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd
allows an attacker to steal insecurely set session token cookies, hijacking active or inactive VNC sessions.

Comment 1 Vasyl Kaigorodov 2015-02-17 11:32:41 UTC
Created novnc tracking bugs for this issue:

Affects: epel-all [bug 1193454]

Comment 2 Paul McMillan 2015-03-02 20:11:43 UTC
Does the post to oss-security need a bump? Nobody seems to have assigned a CVE for this issue...

Comment 3 Fedora Update System 2015-03-15 00:58:17 UTC
novnc-0.5.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2015-03-15 00:59:49 UTC
novnc-0.5.1-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Frantisek Kobzik 2015-03-16 14:27:25 UTC
It looks noVNC and SPICE-HTML5 in oVirt/RHEV-M is unaffected by this CVE (we don't use cookies).

Comment 6 Paul McMillan 2015-03-16 21:26:17 UTC
Unless you've explicitly disabled setting the cookie by modifying the source code, noVNC sets one. You're probably still vulnerable.

Log into a terminal and check the cookies, if you see an insecure cookie with a token in it, you've got the problem.

Comment 13 errata-xmlrpc 2015-04-07 15:11:58 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0788 https://rhn.redhat.com/errata/RHSA-2015-0788.html

Comment 14 errata-xmlrpc 2015-04-16 14:00:25 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0834 https://rhn.redhat.com/errata/RHSA-2015-0834.html

Comment 15 errata-xmlrpc 2015-04-16 14:01:07 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0833 https://rhn.redhat.com/errata/RHSA-2015-0833.html

Comment 16 errata-xmlrpc 2015-04-23 13:04:14 UTC
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2015:0884 https://rhn.redhat.com/errata/RHSA-2015-0884.html


Note You need to log in before you can comment on or make changes to this bug.