CVE-2021-3660: 
NixOS vulnerability analysis and mitigation

CVE-2021-3660 is a clickjacking vulnerability affecting Cockpit and its plugins. The vulnerability was discovered in July 2021 and allows malicious websites to render a Cockpit server page via another website inside an HTML entry. This vulnerability affects Cockpit versions prior to 236, including installations in Red Hat Enterprise Linux 8.3 and below (Red Hat Bugzilla).

The vulnerability stems from Cockpit's lack of protection against clickjacking attacks, specifically the absence of X-Frame-Options header in HTTP responses. This security header controls whether a page can be embedded in an iframe on other websites. The issue was particularly exploitable in versions before Cockpit 236, as these versions used a non-strict cookie policy that allowed cross-origin frame embedding (GitHub Issue).

If exploited, this vulnerability could allow attackers to conduct clickjacking attacks, where users might unknowingly perform actions on the Cockpit interface when visiting a malicious website. For example, an attacker could potentially trick users into temporarily disabling SELinux through a single click, as the button is accessible with minimal interaction (Red Hat Bugzilla).

The issue was addressed by implementing the X-Frame-Options header set to 'sameorigin', which restricts frame embedding to the same origin only. This fix was implemented in Cockpit version 236 and above, which is included in Red Hat Enterprise Linux 8.4 and later versions. Additionally, the cookie policy was tightened to prevent cross-origin frame embedding (GitHub Commit).