Skip to content

Potential security issue with novnc console #4550

Description

@weizhouapache

The url in iframe of novnc console can be used without user login.

When open a vm console, and open the source of page, we get the real link of novnc console.
we are able to access the novnc console on other browsers/servers/ via the link, without user login.

This is a potential security issue.

We have two options
(1) add source IP of client to encrypted token, and check the client IP after token decryption when access the vm console.

we need to make sure

  • IP to management server and CPVM (console proxy vm) are same.
  • If the new browser/session has same outgoing IP as old session, it will still be able to access the vm console.

to be clear, these two files need to be changed
https://github.com/apache/cloudstack/blob/master/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
and
https://github.com/apache/cloudstack/blob/master/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java

(2) save the access ticket to database
when vm console, access ticket will be generated and saved into database.

When access the console, management server will check the params to see if vm is valid and access ticket is not expired.,etc.
It will also check if token is valid and has been not used.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
NoVNC console
CLOUDSTACK VERSION
4.15/master
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
STEPS TO REPRODUCE
  1. open a vm console
    example:
    image

  2. view the source of the page
    example

<html><title>v-1-VM</title><frameset><frame src="https://10-135-126-207.cloud.leaseweb.net/resource/noVNC/vnc.html?port=8080&token=I-QW-IpdDhf3i82rJP_WctztYaq15O6ZP1Mya9F1VspNwDHDhXhQjRqO-ubZMM6YwJkfDNNEShT1K1XZmrnZvmv9ro504qoPqEuC9go5UlrQqBdJga-DAWaFKg0pv_QGo3xhGy4VSNCuj_N86ILC8wAQjmaqbSxyqFFfAlEc8UHxuyGiZG4YpHNnM6je3V82IV555AfnA1-3oyXh5tp9X-Bd7zeXRGIprt7_lwTnGxLgvdk06AoGseD4YabpB_aJLpvx3RfxuHD7hR1IrOrl9g"></frame></frameset></html>

  1. open the link on other server.
    It will not work at the first time, but works after refresh (related to novnc: Accept new novnc client and disconnect old session #4531 )

image

EXPECTED RESULTS
The link in page source should NOT work in other servers, without login
ACTUAL RESULTS
We are able to access the vm console via the URL in page source, without login.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions