Bug 1092875 (CVE-2014-0197) - CVE-2014-0197 CFME: CSRF protection vulnerability in referrer header
Summary: CVE-2014-0197 CFME: CSRF protection vulnerability in referrer header
Alias: CVE-2014-0197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1142451 1142452
Blocks: 1092876
TreeView+ depends on / blocked
Reported: 2014-04-30 07:31 UTC by Kurt Seifried
Modified: 2019-09-29 13:16 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-12 21:24:19 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2014-04-30 07:31:16 UTC
Jan Rusnacko of Red Hat reports:

currently CSRF protection of CFME is based on checking the referer header.
Implementation of the check is not strict enough and permits attacker CSRF in
certain scenarios. Assuming CFME is running on cfme.host and client's browser
sent referer without a full path during authentication, attacker can mount CSRF
from domain cfme.host.evil.com, which will bypass CSRF referer check.

Code in the request_referer_service.rb contains following:

class RequestRefererService
  def referer_valid?(referer, string_to_test)

This check only makes sure that referer starts with string_to_test, with the
assumption that it is FQDN of CFME host. String to test is set in
DashboardController in authenticate action:

538:         session['referer'] = request.referer.sub(/\?.*/,'')

When user first authenticates, CFME saves the referer. Login form, from which
user fires off authenticate request, is located at the root, so referer should
contain URL in form "https://cfme.host/". This is stripped from any parameters
and saved to session['referer'], which will again contain "https://cfme.host/"
for the rest of the session. Any subsequent user requests must include referer
starting with "https://cfme.host/".

Sending referer header raises privacy concerns. To mitigate them, referer sent
by the client may not include full URL, but only protocol+hostname instead of
full path. This is exactly idea behind original proposal of Origin header (for
details see [1]). Stripping full URL to hostname (or just domain) can be
achieved by for example by Referer Control addon to Firefox, or perhaps
implemented at network level as a part of company security policy.

If the client sends authenticate request without trailing "/", then
session['referer'] will contain something like "https://cfme.host", or just
"cfme.host", and attacker can simply mount CSRF from "cfme.host.evil.com" and
pass the check.

This attack on broken Referer check implementation is described in OWASP CSRF
prevention cheat sheet [2].

Thank you.

[1] http://seclab.stanford.edu/websec/csrf/csrf.pdf
[2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Checking_The_Referer_Header

Comment 1 Martin Povolny 2014-04-30 09:13:15 UTC
proposed upstream fix: https://github.com/ManageIQ/cfme/pull/2179

Comment 2 Kurt Seifried 2014-04-30 17:52:07 UTC
This is public now: https://github.com/ManageIQ/cfme/pull/2179

Comment 3 Martin Povolny 2014-04-30 19:57:26 UTC
The above is not "public". It's a private repo.

Comment 6 Kurt Seifried 2015-01-12 21:21:51 UTC
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html

Note You need to log in before you can comment on or make changes to this bug.