RabbitMQ Management Plugin Vulnerability

[Udit Tyagi]

Hi Team,

Below vulnerabilities are being reported due to RabbitMQ Management  plugin :

MEDIUM

Missing Cross-Frame Scripting Protection

Recommendation

A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or CrossSite Request Forgery attacks.

X-Frame-Options header should be present in header of each server response. It will inform web browsers whether it can be framed on certain sites. "X-FrameOptions" header must be present in every server response, including 404 Page Not Found or 500 Internal Server Error

F 4.2

LOW

Missing HTTP StrictTransport-Security Header

Recommendation

HTTP StrictTransport-Security header was not found in HTTP responses.

Include HTTP StrictTransport-SecurityHeader into each server's HTTP response.

Do we have any specific rabbitMQ version where these are fixed ?

Regards,

Udit Tyagi

[Wesley Peng]

HTTP API interface should be protected by firewalls, no matter if it has vulnerabilities or not.

Regards

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/5dc9e2a3-1fdb-408e-bedf-c1d137d34222n%40googlegroups.com.

[Udit Tyagi]

We are seeing these vulnerabilities in the OWASP tool and reported by customers as well. What possible explanation can we give to customers to avoid these vulnerabilities?

[Wesley Peng]

A low risk vulnerability means nothing in practice, we just don’t care. 

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/c7c4e956-9554-4e2b-8f36-d840cb55636en%40googlegroups.com.

[Jason Ipock]

From what I've found, Cross-Frame Scripting issues take advantage of a web browser's existing vulnerability as opposed to being a vulnerability completely in of itself. JavaScript is supposed to be kept within it's own server domain by design and typically does. 

It sounds to me like you had a security company do an audit on your network and they only saw a missing header. Is there a proof of concept they came up with? On which browser(s) and related version(s) does the flaw occur? 

[dc...@prosentient.com.au]

I’m not very familiar with the RabbitMQ Management plugin, but I’d suggest opening an issue on Github. I imagine it would be trivial for the core team to add these headers into https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_management/src/rabbit_mgmt_headers.erl.

 

Or if you’re a developer, you could have a go at writing your own patch and sending in a pull request.

 

David Cook

Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

--

[Udit Tyagi]

Hi Jason, 

Yes, we do have a security audit in which we do a scan using tools like OWASP, Qualys and Nessus it came up in the scan report these vulnerabilities are related to headers that are missing in RabbitMQ management plugin URL. An application deployed over a server should have  headers like the below :

1. Strict-Transport-Security:max-age=31536000; includeSubDomains
2. x-frame-options:SAMEORIGIN

Fix required in rabbitMQ management plugin for Strict-Transport-Security is : https://www.valencynetworks.com/kb/strict-transport-security-header-missing.html

To understand more over Cross Frame Click jacking vulnerability : https://owasp.org/www-community/attacks/Cross_Frame_Scripting

Regards,

Udit Tyagi

[Jason Ipock]

It thought it sounded like some sort of an automated alert. There are a lot of reasons why this should not be a problem. For example, the OWASP link you included even states that for this to happen, it requires a browser flaw as well. If you are *that* concerned about security, you probably have some of the latest versions of Web Browsers out there. And the OWASP example uses IE, which even Microsoft isn't supporting on their flagship O365 products come office. Now, if you had a proof of concept code demonstrating this against a current browser, it might bump up priority.

If this is a really big deal for you, I would also concur with David Cook's suggestion of adding the header yourself and doing a Pull Request. It actually does not sound very hard to do at all. Also, I'm sure if you had paid support, you could go through that channel. 

Good Luck 

-Jason

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/97574960-396c-4246-b597-faf3003f370cn%40googlegroups.com.

[Gavin M. Roy]

On Wed, Feb 3, 2021 at 12:47 AM Udit Tyagi <uditty...@gmail.com> wrote:

Fix required in rabbitMQ management plugin for Strict-Transport-Security is : https://www.valencynetworks.com/kb/strict-transport-security-header-missing.html

I suggest you stick a reverse proxy like Nginx in front of it and set the header there if it's really important.

[Udit Tyagi]

Hi Team,

I found that cross-origin settings can be configured for rabbitmq management plugin - https://www.rabbitmq.com/management.html#cors 

Cross-origin Resource Sharing (CORS)

The management UI application will by default refuse access to websites hosted on origins different from its own using the Cross-Origin Resource Sharing mechanism, also known as CORS. It is possible to white list origins:

management.cors.allow_origins.1 = https://origin1.org management.cors.allow_origins.2 = https://origin2.org

I tried updating /etc/rabbitmq/rabbitmq.config file but it is not able to identify the above-mentioned changes as the format is a bit different I guess.

Can someone please help me understand where exactly I have to configure this?