Redhat.comRH:CVE-2020-1760CVE-2020-1760
0.006 Low
EPSS
Percentile
77.8%
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input.
Mitigation
- Mitigation provided by DigitalOcean:
Mitigation relies on the HAProxy load-balancers in front of RGW, and uses HAProxy ACLs combined with in-house Lua embedded in HAProxy.
1. Detect usage of the query-parameters without any signature (either pre-signed or header), and return S3-formatted error.
2. Validate the content in the query-parameters, return S3-formatted error.
HAProxy mitigation:
acl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject
acl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature
detection 1, QPs present
acl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found
acl req_s3_GetObject_urlp_response url_param(response-expires) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-language) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-type) -m found
detection 2, QPs containing unprintable ascii incl CRLR
acl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
block for detection 1
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey
block for detection 2
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf
Related
