Bug 1813439 (CVE-2020-10108) - CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers
Summary: CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10108
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1818675 1818676 1819269 1821412 1821414 1825803 1813440 1813441 1813442 1818680 1819267 1819268 1821413 1823598
Blocks: 1813453
TreeView+ depends on / blocked
 
Reported: 2020-03-13 19:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-06-26 19:09 UTC (History)
35 users (show)

Fixed In Version: twisted 20.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests, accepting requests with more than one Content-Length header. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
Clone Of:
Environment:
Last Closed: 2020-04-23 16:31:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1561 None None None 2020-04-23 14:12:12 UTC
Red Hat Product Errata RHSA-2020:1962 None None None 2020-04-29 09:46:03 UTC

Description Guilherme de Almeida Suckevicz 2020-03-13 19:57:29 UTC
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

Reference:
https://know.bishopfox.com/advisories/twisted-version-19.10.0

Comment 1 Guilherme de Almeida Suckevicz 2020-03-13 19:58:00 UTC
Created python-twisted tracking bugs for this issue:

Affects: epel-8 [bug 1813442]
Affects: fedora-all [bug 1813441]
Affects: openstack-rdo [bug 1813440]

Comment 2 Summer Long 2020-03-24 04:50:09 UTC
External References:

https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

Comment 6 Riccardo Schirone 2020-03-30 14:41:36 UTC
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.

Comment 8 Riccardo Schirone 2020-03-30 15:21:52 UTC
Function headerReceived() in http.py does not check whether a previous Content-Length header was already parsed, so when an attacker specifies two times the Content-Length, only the last one would be considered. However this is not the right behaviour according to RFC7230, so it can result in an HTTP request smuggling attack in case a proxy/firewall or another not-vulnerable component is placed before/after twisted.

Comment 10 Riccardo Schirone 2020-03-31 15:10:31 UTC
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.

Comment 11 Riccardo Schirone 2020-03-31 15:16:21 UTC
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.

Comment 12 Riccardo Schirone 2020-03-31 15:19:58 UTC
Mitigation:

When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.

Comment 21 Sam Fowler 2020-04-14 01:37:48 UTC
Statement:

Although Red Hat OpenStack Platform packages the flawed code, python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate.

OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used.

Red Hat Satellite uses affected versions of `python-twisted` and  `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future.

This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.

Comment 24 errata-xmlrpc 2020-04-23 14:12:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561

Comment 25 Product Security DevOps Team 2020-04-23 16:31:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10108

Comment 26 errata-xmlrpc 2020-04-29 09:45:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1962 https://access.redhat.com/errata/RHSA-2020:1962


Note You need to log in before you can comment on or make changes to this bug.