[OSSA-2012-019] token expires time incorrect for auth by one token

Bug #1079216 reported by anndy
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Russell Bryant
Folsom
Fix Released
High
Thierry Carrez
OpenStack Security Advisory
Fix Released
Undecided
Thierry Carrez
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

curl -v -XGET -H "X-Auth-Token: ADMIN" http://127.0.0.1:35357/v2.0/tokens/1854c38f436a4980b22b310279e3b773
response(skip something):
       "token": {
            "expires": "2012-11-16T13:24:31Z",
            "id": "1854c38f436a4980b22b310279e3b773"
        },

-------------------
curl -X POST -H "Content-Type: application/json" -d '{"auth": {"token": {"id": "1854c38f436a4980b22b310279e3b773"}, "tenantId": "a2a2c50a344259647880964547228412"}}' http://127.0.0.1:35357/v2.0/tokens | python -mjson.tool
response:
        "token": {
            "expires": "2012-11-16T13:24:31Z",
            "id": "8c1b1343e57e4d24bf2b15013c453ad4",
             ...
        },

---------------------------------------------
curl -v -XGET -H "X-Auth-Token: ADMIN" http://127.0.0.1:35357/v2.0/tokens/8c1b1343e57e4d24bf2b15013c453ad4
response:
        "token": {
            "expires": "2012-11-16T13:34:01Z", (It is not the same.)
            "id": "8c1b1343e57e4d24bf2b15013c453ad4",
        },
--------------------------------------
If someone get a unexpired token id, he can extend use time forever without any password credentials.

Revision history for this message
anndy (anndymaktub) wrote :
Revision history for this message
Thierry Carrez (ttx) wrote :

Hmm, I thought that was covered by CVE-2012-3426.
Adding Keystone PTL for discussion.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Dolph Mathews (dolph) wrote :

Confirmed for at least UUID tokens in master branch (as of 240d6b41a04f1d24f9bfe36d4da3a57512bb80de). Current master branch requires a slightly different patch than the above due to recent refactoring, but it's a similar one-liner.

Not clear on the history of this issue yet or if PKI tokens are affected.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
Revision history for this message
Dolph Mathews (dolph) wrote :

It does not appear that PKI tokens are affected.

Revision history for this message
Dolph Mathews (dolph) wrote :

Attached patch for master branch that fixes the issue for UUID tokens and tests for the issue using both UUID & PKI tokens. However, the patch also includes an unrelated bugfix allowing for tokens w/o metadata that I'd specifically like ayoung to review and that we may need to track separately.

Revision history for this message
Dolph Mathews (dolph) wrote :

Patch attached for stable/folsom.

Revision history for this message
Dolph Mathews (dolph) wrote :

stable/essex does not appear to be affected.

Revision history for this message
Dolph Mathews (dolph) wrote :

Attached is a backport of the new tests for stable/essex. No fix is necessary.

Revision history for this message
Joseph Heck (heckj) wrote :

Patch(es) look good - approved from me.

tags: added: folsom-backport
Revision history for this message
Thierry Carrez (ttx) wrote :

Would prefer if the security patch did not include the additional fix (allowing for tokens w/o metadata) -- Minimal is good from a security patching perspective.

Revision history for this message
Dolph Mathews (dolph) wrote :

ttx: that's specifically why I mentioned it! Attached is just the fix+test for UUID tokens.

Revision history for this message
Dolph Mathews (dolph) wrote :

Same patch as above for stable/folsom (fix+test for UUID tokens).

Revision history for this message
Thierry Carrez (ttx) wrote :

@keystone-core: please validate the latest patches
@anndy: do you have a full name (and optionally company) that we can credit for the discovery of this vulnerability ?

Proposed impact description:

Title: Extension of token validity through token chaining
Reporter: $CREDIT
Products: keystone
Affects: Folsom

Description:
$CREDIT reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support UUID tokens.

Revision history for this message
Dolph Mathews (dolph) wrote :

@Thierry: "refactored to support UUID tokens." -> "refactored to support PKI tokens"

I have not confirmed that this is true (although it's likely), but I assume this is what you meant ^

Revision history for this message
Joseph Heck (heckj) wrote :

verified good and test drives the explicit patch so we don't regress this area in the future.

Revision history for this message
anndy (anndymaktub) wrote :

@Thierry: just Anndy.

Revision history for this message
Thierry Carrez (ttx) wrote :

Fixed impact description:

Title: Extension of token validity through token chaining
Reporter: Anndy
Products: Keystone
Affects: Folsom

Description:
Anndy reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support PKI tokens.

Revision history for this message
Russell Bryant (russellb) wrote :

The description sounds good to me. +1

Revision history for this message
Thierry Carrez (ttx) wrote :

Pushed to downstream stakeholders

Proposed public disclosure date/time:
*Wednesday November 28th, 1500UTC*

Revision history for this message
Thierry Carrez (ttx) wrote :

CVE-2012-5563

Thierry Carrez (ttx)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/17049

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/17050

Changed in keystone:
assignee: Dolph Mathews (dolph) → Russell Bryant (russellb)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/17051
Committed: http://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
Submitter: Jenkins
Branch: master

commit 38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
Author: Dolph Mathews <email address hidden>
Date: Wed Nov 28 10:28:07 2012 -0500

    Ensure token expiration is maintained (bug 1079216)

    Change-Id: I95853ec36e9c4cd937cfac7e08b648e830f9efd0

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/folsom)

Reviewed: https://review.openstack.org/17050
Committed: http://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
Submitter: Jenkins
Branch: stable/folsom

commit f9d4766249a72d8f88d75dcf1575b28dd3496681
Author: Dolph Mathews <email address hidden>
Date: Wed Nov 28 16:28:05 2012 +0100

    Ensure token expiration is maintained

    Ensure token expiration is maintained. Fixes bug 1079216.

    Change-Id: I0ce53f106ab6d95916fdc9797cb9d8bf09132a91

Revision history for this message
Thierry Carrez (ttx) wrote : Re: token expires time incorrect for auth by one token

OSSA 2012-019

Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in keystone (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello anndy, or anyone else affected,

Accepted keystone into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → grizzly-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-2 → 2013.1
Thierry Carrez (ttx)
summary: - token expires time incorrect for auth by one token
+ [OSSA-2012-019] token expires time incorrect for auth by one token
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.