=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN407
_____________________________________________________________________

DATE                : 19/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenStack Nova versions prior
                  to 21.2.3, 22.x prior to 22.2.3, 23.x prior to 23.0.2.

=====================================================================
https://security.openstack.org/ossa/OSSA-2021-004.html
_____________________________________________________________________


OSSA-2021-002: Open Redirect in noVNC proxy


Date    July 29, 2021
CVE     CVE-2021-3654

Affects

    Nova: <21.2.3, >=22.0.0 <22.2.3, >=23.0.0 <23.0.2


Description

Swe Aung, Shahaan Ayyub, and Salman Khan with the Monash University
Cyber Security team reported a vulnerability affecting Nova’s noVNC
proxying implementation which exposed access to a well-known redirect
behavior in the Python standard library’s
http.server.SimpleHTTPRequestHandler and thus noVNC’s
WebSockifyRequestHandler which uses it. By convincing a user to follow a
specially-crafted novncproxy URL, the user could be redirected to an
unrelated site under control of the attacker in an attempt to convince
them to divulge credentials or other sensitive data. All Nova
deployments with novncproxy enabled are affected.


Patches

    https://review.opendev.org/791807 (Train)

    https://review.opendev.org/791806 (Ussuri)

    https://review.opendev.org/791805 (Victoria)

    https://review.opendev.org/791577 (Wallaby)

    https://review.opendev.org/791297 (Xena)


Credits

    Swe Aung from Monash University Cyber Security team (CVE-2021-3654)

    Shahaan Ayyub from Monash University Cyber Security team (CVE-2021-3654)

    Salman Khan from Monash University Cyber Security team (CVE-2021-3654)


References

    https://launchpad.net/bugs/1927677

    https://bugs.python.org/issue32084

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654


Notes

    The stable/train branch is under extended maintenance and will
receive no new point releases, but a patch for it is provided as a courtesy.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================