Missing "secure" and "httpOnly" Cookie Attributes

[tjgruber]

Hi,

Running a vulnerability scan against my server using Cockpit results in what the title says, and I cannot find where to fix it. I don't have an Apache config file, or see a config file in /etc/cockpit/cockpit.conf.
Is this a built-in vulnerability in Cockpit or is there a way I can fix it? If not, the only solution I see is to not use Cockpit on public-facing servers. What can I do?

• Missing "secure" Cookie Attribute
• Missing "httpOnly" Cookie Attribute

Here's the version I'm running:

Installed Packages
Name : cockpit
Version : 151
Release : 2.fc26
Arch : x86_64
Size : 45 k
Source : cockpit-151-2.fc26.src.rpm
Repo : @System
From repo : updates
Summary : A user interface for Linux servers
URL : http://cockpit-project.org/
License : LGPLv2+
Description : Cockpit runs in a browser and can manage your network of GNU/Linux
: machines.

Here's the results so you have what I have:

Medium (CVSS: 6.4)
NVT: SSL/TLS: Missing ‘secure‘ Cookie Attribute

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Vulnerability Detection Result

The cookies:
Set-Cookie: cockpit=replaced; PATH=/
are missing the "secure" attribute.

Solution

Solution type: Mitigation
Set the ’secure’ attribute for any cookies that are sent over a SSL/TLS connection.

Affected Software/OS

Server with SSL/TLS.

Vulnerability Insight

The flaw is due to cookie is not using ’secure’ attribute, which allows cookie to be passed to
the server by the client over non-secure channels (http) and allows attacker to conduct session
hijacking attacks.
Impact Level: Application

Vulnerability Detection Method

Details:SSL/TLS: Missing ‘secure‘ Cookie Attribute
OID:1.3.6.1.4.1.25623.1.0.902661
Version used: $Revision: 5543 $

References

Other:
URL:https://www.owasp.org/index.php/SecureFlag
URL:http://www.ietf.org/rfc/rfc2965.txt
URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-
,!002)

Medium (CVSS: 5.0)
NVT: Missing ‘httpOnly‘ Cookie Attribute

Summary

The application is missing the ’httpOnly’ cookie attribute

Vulnerability Detection Result

The cookies:
2 RESULTS PER HOST 5
Set-Cookie: cockpit=replaced; PATH=/
are missing the "httpOnly" attribute.

Solution

Solution type: Mitigation
Set the ’httpOnly’ attribute for any session cookie.

Affected Software/OS

Application with session handling in cookies.

Vulnerability Insight

The flaw is due to a cookie is not using the ’httpOnly’ attribute. This allows a cookie to be
accessed by JavaScript which could lead to session hijacking attacks.

Vulnerability Detection Method

Check all cookies sent by the application for a missing ’httpOnly’ attribute
Details:Missing ‘httpOnly‘ Cookie Attribute
OID:1.3.6.1.4.1.25623.1.0.105925
Version used: $Revision: 5270 $

References

Other:
URL:https://www.owasp.org/index.php/HttpOnly
URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-
,!002)

[petervo]

httponly is only missing when we are deleting the cookie. Whenever we actually set a value, we use the httponly flag.

We do set the Secure attribute when we detect that it is running over ssl but it's possible that is missing something in your setup. What OS are you on and how did you install and run cockpit?

[tjgruber]

Running Fedora 27 Server from NetInstall Minimal installation. Installed via: dnf install cockpit

It's only accessible via https.

[petervo]

In that case I'm pretty confident that what you are seeing is just the cookie being deleted. A cookie with any real value should have both the httponly and the secure attributes.

[stefwalter]

@petervo Should we set those fields anyway?

[tjgruber]

How do I do that so it doesn't fail those checks during the vulnerability scan?

[petervo]

@tjgruber code needs to change.

[stefwalter]

@petervo Would be helpful to point out which code.

@tjgruber Look for the function cockpit_auth_empty_cookie(). Make sure to only set secure if an https session is in use. Other code in the same file manages to do that.

[nicholaspier]

Any progress on this issue? When scanning a new, Fedora 28 host, minimal install, I receive the same 2 vulnerabilities:

• SSL/TLS: Missing secure Cookie Attribute
• Missing httpOnly Cookie Attribute

I'm using OpenVAS 9 with current definitions. It looks like @tjgruber is using the same tool. I don't have access to any other vulnerability scanners to confirm if they also see the issue.

dnf list installed | grep cockpit

cockpit-bridge.x86_64 166-1.fc28 @updates
cockpit-networkmanager.noarch 166-1.fc28 @updates
cockpit-storaged.noarch 166-1.fc28 @updates
cockpit-system.noarch 166-1.fc28 @updates
cockpit-ws.x86_64 166-1.fc28 @updates

uname -a
Linux steam0.pier.lan 4.16.5-300.fc28.x86_64 #1 SMP Fri Apr 27 17:38:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[tjgruber]

@stefwalter

Look for the function cockpit_auth_empty_cookie(). Make sure to only set secure if an https session is in use. Other code in the same file manages to do that.

In which file do I look for this and where is it located?

[stefwalter]

@tjgruber

$ git grep cockpit_auth_empty_cookie
src/ws/cockpitauth.c:cockpit_auth_empty_cookie_value (const gchar *path)
src/ws/cockpitauth.h:gchar *         cockpit_auth_empty_cookie_value       (const gchar *path);
src/ws/cockpithandlers.c:      cookie_line = cockpit_auth_empty_cookie_value (path);

[martinpitt]

"secure" was added in PR #11279, "httpOnly" in PR #10766.