Difference between revisions of "OSSN/OSSN-0037"

Latest revision as of 09:48, 22 July 2016

Configure Horizon to mitigate BREACH/CRIME attacks

Summary

Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks in it's default configuration.

Affected Services / Software

Horizon, Django, Apache, Nginx, SSL, TLS

Discussion

The BREACH attack may be used to compromise Django's cross-site request forgery (CSRF) protection. OpenStack's Horizon web dashboard is built on the Django framework, and is consequently affected. There is no fix available in Horizon itself, but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.

Recommended Actions

Since BREACH is related to serving compressed data, disabling compression of web responses can be used to mitigate these type of attacks. Some methods for this include:

Disable Django's GZIP Middleware:

https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip

Disable GZip compression in your web server's config. For Apache httpd, you can do this by disabling mod_deflate:

http://httpd.apache.org/docs/2.2/mod/mod_deflate.html

For Nginx, you can do this by disabling the gzip module:

http://wiki.nginx.org/HttpGzipModule

Contacts / References

Author: Robert Clark, HP
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0037
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1209250
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Django advice on BREACH : https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
More info on BREACH : http://breachattack.com/

@@ Line 40: / Line 40: @@
 === Contacts / References ===
+* Author: Robert Clark, HP
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0037
 * Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1209250