Bug 1812962 (CVE-2020-1760) - CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS
Summary: CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1760
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1813285 1813286 1813284 1821587
Blocks: 1812829
TreeView+ depends on / blocked
 
Reported: 2020-03-12 15:17 UTC by Marian Rehak
Modified: 2020-07-20 19:27 UTC (History)
32 users (show)

Fixed In Version: ceph 15.2.1, ceph 14.2.9, ceph 13.2.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
Clone Of:
Environment:
Last Closed: 2020-07-20 19:27:38 UTC
hvyas: needinfo-


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3003 None None None 2020-07-20 14:20:55 UTC

Description Marian Rehak 2020-03-12 15:17:12 UTC
If the attacker knows the path to a publicly readable object on any RGW cluster and the object is at least large enough to cover the attack body there it's possible to run an XSS on any object.

Comment 4 Hardik Vyas 2020-03-16 14:30:39 UTC
Mitigation:

* Mitigation provided by DigitalOcean:

Mitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy.

1. Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error.
2. Validate the content in the query-parameters, return S3-formatted error.

HAProxy mitigation:
===
acl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject
acl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature

# detection 1, QPs present
acl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found
acl req_s3_GetObject_urlp_response url_param(response-expires) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-language) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-type) -m found

# detection 2, QPs containing unprintable ascii incl CRLR
acl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f

# block for detection 1
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey

# block for detection 2
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf
===

Comment 6 Hardik Vyas 2020-03-17 10:18:37 UTC
Acknowledgments:

Name: Robin H. Johnson (DigitalOcean)
Upstream: William Bowling

Comment 11 Hardik Vyas 2020-04-07 06:57:55 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 1821587]

Comment 12 Hardik Vyas 2020-04-07 07:07:06 UTC
Upstream Patches:

https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
https://github.com/ceph/ceph-ci/commit/18eb4d918b27d362312c29a3bbd57a421897c0a5
https://github.com/ceph/ceph-ci/commit/1bf14094fec34770d2cc74317f4238ccb2dfef98

The patches are currently available from ceph.git clone(ceph-ci) and will be pushed to active releases soon.

Comment 13 Hardik Vyas 2020-04-07 07:10:13 UTC
Statement:

Red Hat OpenStack Platform 15 (RHOSP) packages Ceph but no longer uses it, instead pulling ceph directly from the Red Hat Ceph Storage 4 repository. For this reason, RHOSP will not be updated for this flaw.

This issue affects the versions of ceph as shipped with Red Hat Ceph Storage 3, 4 and Red Hat Openshift Container Storage 4.2 as it allows unauthenticated requests sent by an anonymous user for Amazon S3.

Comment 14 Hardik Vyas 2020-04-13 06:11:10 UTC
External References:

https://www.openwall.com/lists/oss-security/2020/04/07/1

Comment 20 errata-xmlrpc 2020-07-20 14:20:53 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 4.1

Via RHSA-2020:3003 https://access.redhat.com/errata/RHSA-2020:3003

Comment 21 Product Security DevOps Team 2020-07-20 19:27:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1760


Note You need to log in before you can comment on or make changes to this bug.