Bug 1854373 (CVE-2020-14319) - CVE-2020-14319 amq-on: CSRF (in graphQL requests)
Summary: CVE-2020-14319 amq-on: CSRF (in graphQL requests)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1852281
TreeView+ depends on / blocked
 
Reported: 2020-07-07 10:26 UTC by lnacshon
Modified: 2020-08-24 17:36 UTC (History)
9 users (show)

Fixed In Version: amq-online-1.5.2 enmasse-0.32.2
Doc Type: If docs needed, set a value
Doc Text:
It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker.
Clone Of:
Environment:
Last Closed: 2020-07-29 19:28:08 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3209 None None None 2020-07-29 15:21:48 UTC

Description lnacshon 2020-07-07 10:26:43 UTC
Currently it is known that the following browsers can be used for a successful attack:

* Chrome prior to version 76

* Firefox prior to version 61

* Opera Browser prior to version 68
more details in the task bug

Comment 1 lnacshon 2020-07-07 10:26:47 UTC
Acknowledgments:

Name: Jeremy Choi (Red Hat)

Comment 8 errata-xmlrpc 2020-07-29 15:21:46 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Online 1.5.2 GA

Via RHSA-2020:3209 https://access.redhat.com/errata/RHSA-2020:3209

Comment 9 Product Security DevOps Team 2020-07-29 19:28:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14319

Comment 13 Jonathan Christison 2020-08-10 16:52:09 UTC
A word on scoring, our scoring is currently 5.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H and NVD of 8.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability Metrics: 

Attack Vector Network (AV:N) -
Agree here, Although the attack requires user interaction eg. spear phishing the attack vector is Network as this attack does not require the attacker to have a presence on the private openshift network and the service itself is tied to the network stack.

Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):

We disagree with the scoring of a low attack complexity, we believe there are elements of the attack that depend on conditions beyond the attackers control -

Although we address user interaction in a separate section its worth mentioning that in order for the victims browser to make the POST requests without preflight checks there must be a method for the attacker to do this, we highlight one such example of older browsers with Flash, This means there are two main prequisites for the attack and depending on the request a third element outside the attackers control.

*) Outdated or un-patched browser 
*) 3rd party plugin such as Adobe flash
*) As this is a blind attack relying on POST requests some API endpoints will require information the attacker will not posses such as namespace IDs or requesting user ID. 

We do not believe an attacker can rely on either of these elements to be true.
 
Privileges Required None (PR:N) -
Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw, the attack relies on a privileged user to make the requests for the attacker.

User Interaction None (UI:R)
Agree here, the attack would rely on a privileged user visiting resources an attacker controls ie. by a phishing attack   

Scope Unchanged (S:U)
Agree here, the attacker will not be able to escape the scope of the targeted user
 
Impact Metrics:

Confidentiality High (C:H) -> Confidentiality None (C:N)
We disagree with the scoring of high impact of confidentiality, this attack relies on targeted users sending POST requests at the attackers behest, the attacker can expect the API calls to be carried out but they will not get a response (it is a blind attack), as the user management of this application is not part of the vulnerable API an attacker would not for example be able to change a password and gain access to information and we cannot see any other information disclosure being possible.

*) The http method must be unsafe (POST,PUT,DELETE etc)
 
Integrity High (I:H) -> Integrity Low (I:L) 
We disagree with the scoring of high impact upon integrity, the attacker does not have the ability to modify any and all data, though we address this under attack complexity there are elements to the POST request that require information about the system structure that the attacker will not have access to, for example deleting address spaces in AMQ Online would for example require the attacker have knowledge of the namespace's name, this means only some of the data they have access to is amenable  

Availability High (A:H)
Agree here, if the attacker is able to overcome previously mentioned caveats they can potentially permanently delete resources and thus deny others users access to them


Note You need to log in before you can comment on or make changes to this bug.