Bug 1813447 (CVE-2020-10109) - CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header
Summary: CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a C...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10109
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1818678 1818679 1819272 1821421 1821423 1825802 1813448 1813449 1813450 1818681 1819271 1821422 1823598
Blocks: 1813453
TreeView+ depends on / blocked
 
Reported: 2020-03-13 20:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-06-26 19:09 UTC (History)
34 users (show)

Fixed In Version: twisted 20.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
Clone Of:
Environment:
Last Closed: 2020-04-23 16:31:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1561 None None None 2020-04-23 14:12:12 UTC

Description Guilherme de Almeida Suckevicz 2020-03-13 20:02:33 UTC
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

Reference:
https://know.bishopfox.com/advisories/twisted-version-19.10.0

Comment 1 Guilherme de Almeida Suckevicz 2020-03-13 20:03:03 UTC
Created python-twisted tracking bugs for this issue:

Affects: epel-8 [bug 1813450]
Affects: fedora-all [bug 1813449]
Affects: openstack-rdo [bug 1813448]

Comment 2 Summer Long 2020-03-24 04:50:14 UTC
External References:

https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst

Comment 6 Riccardo Schirone 2020-03-30 14:41:41 UTC
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.

Comment 8 Riccardo Schirone 2020-03-30 15:18:56 UTC
rhel-6/python-twisted-web is not affected by this flaw because the logic in function headerReceived() is a bit different from the vulnerable version, so even if both Content-Length and Transfer-Encoding are specified, the Transfer-Encoding one will have precedence over the Content-Length.

Comment 10 Riccardo Schirone 2020-03-31 15:12:28 UTC
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.

Comment 11 Riccardo Schirone 2020-03-31 15:16:24 UTC
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.

Comment 12 Riccardo Schirone 2020-03-31 15:20:03 UTC
Mitigation:

When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.

Comment 14 Riccardo Schirone 2020-03-31 15:29:29 UTC
First upstream version to introduce this issue is twisted-9.0.0.
The first vulnerable commits appears to be: https://github.com/twisted/twisted/commit/54898f28f4bab89cef9ab8f0c78c748b560c4e22 .

Comment 19 Sam Fowler 2020-04-14 01:38:46 UTC
Statement:

Although Red Hat OpenStack Platform packages the flawed code, python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate.

OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used.

Red Hat Satellite uses affected versions of `python-twisted` and  `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future.

This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.

Comment 22 errata-xmlrpc 2020-04-23 14:12:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561

Comment 23 Product Security DevOps Team 2020-04-23 16:31:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10109


Note You need to log in before you can comment on or make changes to this bug.