OpenStack Dashboard (Horizon)

VPN shared PSK shown in plaintext

Bug #1575909 reported by Steve McLellan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Low
Julie Gravel
OpenStack Dashboard (Horizon) pike-1
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

In the neutron VPN details and form, https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/templates/vpn/_ipsecsiteconnection_details.html#L43 and https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/vpn/forms.py#L249 don't offer the option of hiding the string. Typically sensitive information like passwords is hidden by default, requiring the user to explicitly choose to make it visible by clicking an icon (like the eye icon).

Filing this as a security bug out of an overabundance of caution; while it is related to security it doesn't describe a vulnerability that can be exploited by means other than shoulder surfing.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@horizon-coresec please triage this bug report.

Perhaps this doesn't need to be kept private and can be fixed in the open ?

Revision history for this message
David Lyle (david-lyle) wrote :

I think this can be fixed in the open. The risk is someone viewing over your shoulder as you enter the key, much as not obscuring a password when typing it. It's not ideal, but the risk is quite limited.

Revision history for this message
Steve McLellan (sjmc7) wrote :

I'm fine with that; Rob had suggested filing as security just to be safe but I agree shoulder surfing isn't the same as a remote vulnerability.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Agreed, this doesn't seem like it needs to be handled under embargo, and could be worked further in public instead.

Tristan Cacqueray (tristan-cacqueray)
information type: Private Security → Public Security
description: updated
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Moreover this doesn't really deserve an advisory, it sounds like a class D type of bug (hardening) according to: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Revision history for this message
Grant Murphy (gmurphy) wrote :

I agree. I don't think we need an advisory for this.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Based on above comment, I removed the OSSA task.

Changed in ossa:
status: Incomplete → Won't Fix
Julie Gravel (julie-gravel)
Changed in horizon:
assignee: nobody → Julie Gravel (julie-gravel)
status: New → In Progress
Jeremy Stanley (fungi)
information type: Public Security → Public
tags: added: security
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Submitting patches automatically updates Launchpad. Please don't modify the status to In Progress manually.

Changed in horizon:
status: In Progress → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/434508

Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: none → pike-1
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/434508
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=5137dc4fdd19de3494293731abffdfb7e5b26449
Submitter: Jenkins
Branch: master

commit 5137dc4fdd19de3494293731abffdfb7e5b26449
Author: Julie Gravel <email address hidden>
Date: Wed Feb 15 12:08:12 2017 -0800

    Make VPN IPSec Site Connection PSK field hidden

    The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab
    should not be displayed in plain text due to security concerns. Set
    the PSK field in the Add Connection and the Edit Connection dialogs
    to be a password field to provide the user some protection when
    entering the value. Remove the PSK field from the details page since
    this is the pattern used with the password field in Identity Users
    panel.

    Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6
    Close-Bug: #1575909

Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/440733

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/440734

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/440736

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/mitaka)

Reviewed: https://review.openstack.org/440736
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=7a1a8b373935904ce0701f3c3758ec1f56c243ea
Submitter: Jenkins
Branch: stable/mitaka

commit 7a1a8b373935904ce0701f3c3758ec1f56c243ea
Author: Julie Gravel <email address hidden>
Date: Wed Feb 15 12:08:12 2017 -0800

    Make VPN IPSec Site Connection PSK field hidden

    The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab
    should not be displayed in plain text due to security concerns. Set
    the PSK field in the Add Connection and the Edit Connection dialogs
    to be a password field to provide the user some protection when
    entering the value. Remove the PSK field from the details page since
    this is the pattern used with the password field in Identity Users
    panel.

    Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6
    Close-Bug: #1575909
    (cherry picked from commit 5137dc4fdd19de3494293731abffdfb7e5b26449)

tags: added: in-stable-mitaka
tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/newton)

Reviewed: https://review.openstack.org/440734
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=cb65d6b873482c518d602bc7e359dce1c5312454
Submitter: Jenkins
Branch: stable/newton

commit cb65d6b873482c518d602bc7e359dce1c5312454
Author: Julie Gravel <email address hidden>
Date: Wed Feb 15 12:08:12 2017 -0800

    Make VPN IPSec Site Connection PSK field hidden

    The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab
    should not be displayed in plain text due to security concerns. Set
    the PSK field in the Add Connection and the Edit Connection dialogs
    to be a password field to provide the user some protection when
    entering the value. Remove the PSK field from the details page since
    this is the pattern used with the password field in Identity Users
    panel.

    Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6
    Close-Bug: #1575909
    (cherry picked from commit 5137dc4fdd19de3494293731abffdfb7e5b26449)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/ocata)

Reviewed: https://review.openstack.org/440733
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=03f78705e8e4756537b2da4bbada8101f9f16f3a
Submitter: Jenkins
Branch: stable/ocata

commit 03f78705e8e4756537b2da4bbada8101f9f16f3a
Author: Julie Gravel <email address hidden>
Date: Wed Feb 15 12:08:12 2017 -0800

    Make VPN IPSec Site Connection PSK field hidden

    The Pre-Shared Key (PSK) field on the VPN IPSec Site Connection tab
    should not be displayed in plain text due to security concerns. Set
    the PSK field in the Add Connection and the Edit Connection dialogs
    to be a password field to provide the user some protection when
    entering the value. Remove the PSK field from the details page since
    this is the pattern used with the password field in Identity Users
    panel.

    Change-Id: I4dd713f01b02c29d9822efcb519de60fd9d035e6
    Close-Bug: #1575909
    (cherry picked from commit 5137dc4fdd19de3494293731abffdfb7e5b26449)

tags: added: in-stable-ocata
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.