Is cockpit vulnerable to clickjacking? [CVE-2021-3660] #16122
Comments
|
You are already the second person to report this recently. Apparently embedding as we document it is not en vogue any more.. We could default to X-Frame-Options: sameorigin (which should at least retain the reverse-proxy case, like in Foreman), and provide an option in cockpit.conf to open it up further. |
martinpitt
changed the title
|
@stefwalter, @mvollmer : What do you think about the above proposal? I'm afraid the discussions and goals about embedding happened before my time, so I'm a bit afraid of breaking an important use case. |
|
I think your proposal sounds reasonable. |
|
No, there is no way to set extra headers. |
|
I tried to run Embedding currently works as part of a cockpit web page (like on embed-cockpit example) for the same domain -- but as soon as I choose a different one like 127.0.0.2:9091 (our test VMs), it fails:
All our Cockpit pages have this relatively strict C-S-P. It looks like embedding cockpit across different origins silently broke some unknown time ago (whether this is due to new browser restrictions or some regression in cockpit-ws I can't say yet). So can you actually exploit this right now? I.e. embed a cockpit frame into a page from a different origin, and make it actually work? |
|
See PR #16342, where I am currently investigating this, wrote test cases for both cases (same and cross origin), and will add the |
|
I did not reproduce a bug.. I had the result of a Nessus scan, which showed the potential vulnerability in the report. My purpose of opening this ticket is to find if this is a real vulnerability, and how to prevent it if it is. Nessus report shows:
|
|
Thanks @rrandecker! I will add the X-F-O, I was mostly just interested in evaluating the scope and severity, whether I was missing a case where this actually can happen. |
|
Which redhat cockpit versions will have the X-F-O? |
|
@rrandecker : Initially, 8.6/9.0 final. I am still investigating how much of an actual problem this is, i.e. whether we need to backport this to at least 8.5 as well. As I mentioned, I am currently unable to get anything else besides the login page when doing a cross-domain frame embedding (which would be "harmless enough" IMHO, albeit a bit confusing). However, judging by https://bugzilla.redhat.com/show_bug.cgi?id=1980688 it is likely that I am missing something. |
This reproduces the scenario in cockpit-project#16122. Try to load a cockpit frame from a different domain (localhost:12346, from a local python web server), and ensure that this does not work beyond the login page. We really want it to refuse to load the frame at all, but as we currently don't set `X-Frame-Options:`, this currently does work, in both Chromium and Firefox. But make sure that the default browser/cookie policy prevents loading the frame and leaking credentials. This test only works in Firefox, as Chromium's CDP driver does not even expose cross-origin frames (even though the browser itself does show them).
Declare `X-Frame-Options: sameorigin` [1] so that cockpit frames can only be embedded into pages coming from the same origin. This is similar to setting CORP in commit 2b38b8d (which applies to `<script>`, `<img>`, etc.). The main use case for embedding is to run cockpit-ws behind a reverse proxy, while also serving other pages. Cross-origin embedding is discouraged these days to prevent "clickjacking". Cross-origin embedding already did not work in most cases: Frames would always just show the login page. However, this looks confusing and is unclean. With X-Frame-Options, the browser instead shows an explanatory error page. Mention the same origin requirement in the embedding documentation. Fixes cockpit-project#16122 https://bugzilla.redhat.com/show_bug.cgi?id=1980688 CVE-2021-3660 [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
This reproduces the scenario in #16122. Try to load a cockpit frame from a different domain (localhost:12346, from a local python web server), and ensure that this does not work beyond the login page. We really want it to refuse to load the frame at all, but as we currently don't set `X-Frame-Options:`, this currently does work, in both Chromium and Firefox. But make sure that the default browser/cookie policy prevents loading the frame and leaking credentials. This test only works in Firefox, as Chromium's CDP driver does not even expose cross-origin frames (even though the browser itself does show them).
Declare `X-Frame-Options: sameorigin` [1] so that cockpit frames can only be embedded into pages coming from the same origin. This is similar to setting CORP in commit 2b38b8d (which applies to `<script>`, `<img>`, etc.). The main use case for embedding is to run cockpit-ws behind a reverse proxy, while also serving other pages. Cross-origin embedding is discouraged these days to prevent "clickjacking". Cross-origin embedding already did not work in most cases: Frames would always just show the login page. However, this looks confusing and is unclean. With X-Frame-Options, the browser instead shows an explanatory error page. Mention the same origin requirement in the embedding documentation. Fixes #16122 https://bugzilla.redhat.com/show_bug.cgi?id=1980688 CVE-2021-3660 [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
Is this being patched back to RHEL 8.4 version of cockpit. or did you find clickjacking only gets you back to the login page? |
|
@rrandecker: I just made https://bugzilla.redhat.com/show_bug.cgi?id=1980688#c25 public with some details. In short, the That means that this only works in RHEL ≤ 8.3, but RHEL 8.4+ is mostly safe already. |
Through a security scan, I was notified:
Suggested solution is:
Is there a way to do this through the config in cockpit? or is there some other reason it is not subject to clickjacking?
Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1980688 (plus a few dependent ones for the individual packages in Fedora and RHEL 8/9)
The text was updated successfully, but these errors were encountered: