IBM Support

Nessus Scan reporting Cookie insertion vulnerability against Cinder

Question & Answer


Question

Nessus Scan products have been known to report cookie injection vulnerabilties against region servers and the Cinder service. Such reports may report something like the following: unknown (9696/tcp) & unknown (8776/tcp) Web Server Generic Cookie Injection Synopsis :  The remote web server is prone to a cookie injection attack. Description :  The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.

Cause

Security scans which detect certain open ports (which are used by the OpenStack Cinder service) may report this kind of error.

Answer

OpenStack development has commented specifically about this issue and report that it is not a vulnerability. The reasons for this are the following:

  • Cinder is not a webserver, it is just listening on that port for REST commands to be sent.
  • The content type being sent back is text/plain, it is not returning HTML so the returned data is going to be plain text not HTML.  Therefore it isn't going to cause something to be executed on another person's system.
  • The above items mean that there is no vector to get a cookie onto a user's system.
In conclusion, the response that Cinder makes in this case is that an invalid request has been made to the server, which is actually the case. There is no vulnerability.

[{"Product":{"code":"SGKRPG","label":"OpenStack"},"Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Component":"Cinder","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"Advanced;Enterprise;Standard","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
28 January 2020

UID

nas8N1020873

Page Feedback