OSSN/OSSN-0037

Summary
Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks in it's default configuration.

Affected Services / Software
Horizon, Django, Apache, Nginx, SSL, TLS

Discussion
The BREACH attack may be used to compromise Django's cross-site request forgery (CSRF) protection. OpenStack's Horizon web dashboard is built on the Django framework, and is consequently affected. There is no fix available in Horizon itself, but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.

Recommended Actions
Since BREACH is related to serving compressed data, disabling compression of web responses can be used to mitigate these type of attacks. Some methods for this include:

Disable Django's GZIP Middleware:


 * https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip

Disable GZip compression in your web server's config. For Apache httpd, you can do this by disabling mod_deflate:


 * http://httpd.apache.org/docs/2.2/mod/mod_deflate.html

For Nginx, you can do this by disabling the gzip module:


 * http://wiki.nginx.org/HttpGzipModule

Contacts / References

 * Author: Robert Clark, HP
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0037
 * Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1209250
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg
 * Django advice on BREACH : https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
 * More info on BREACH : http://breachattack.com/