ACLs in Barbican may break the security model for the database when using PKCS#11
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Won't Fix
|
High
|
Unassigned |
Bug Description
From https:/
1. Modification of ACLs in barbian database could compromise all secrets
~~~~~~~
- Risk: barbican has a feature that allows a tenant to grant another tenant access to a secret. This is controlled via a tenant mapping table within the barbican database. The implied security model of the barbican database (when running with PCKS#11) is that all cryptographic operations are performed in the HSM, a confidentiality or integrity breach of the database will not directly result in secrets being compromised. However if an attacker was able to modify the ACL mapping, they could grant a tenant access to any/all secrets stored in the HSM. Once the mapping is manipulated the attacker could
retrieve secrets using the normal barbican API.
- Impact: All secrets stored in barbican are exposed.
- Likelihood: Medium
- Impact: High
- Overall Risk Rating: High
- Bug: <link to launchpad bug for this finding>
- Recommendation: Provide deployment guidance requiring strong controls
securing access to the barbican database.
description: | updated |
We could sign the access and owner fields in the database to verify they have not been modified.