[OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911)

Fix proposed to branch: master
Review: https://review.openstack.org/311886

This is causing race failures in the gate, so that's why it's marked high:

http://logstash.openstack.org/#dashboard/file/logstash.json?query=(message%3A%5C%22testtools.matchers._impl.MismatchError%3A%20%26lt%3Bbound%20method%20RolesClient.list_roles%20of%20%26lt%3Btempest.services.identity.v2.json.roles_client.RolesClient%5C%22%20OR%20message%3A%5C%22testtools.matchers._impl.MismatchError%3A%20%26lt%3Bbound%20method%20TokenClient.auth_token%20of%20%26lt%3Btempest.lib.services.identity.v2.token_client.TokenClient%5C%22)%20AND%20tags%3A%5C%22console%5C%22&from=7d

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/312582

Reviewed: https://review.openstack.org/311886
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0d376025bae61bf5ee19d992c7f336b99ac69240
Submitter: Jenkins
Branch: master

commit 0d376025bae61bf5ee19d992c7f336b99ac69240
Author: Lance Bragstad <email address hidden>
Date: Mon May 2 19:16:11 2016 +0000

    Fix fernet audit ids for v2.0

    The fernet token provider was doing some weird things with audit ids that
    caused token rescoping to not work because audit ids were never pulled from the
    original token. This commit also enables some tests for v2.0 authentication
    with the Fernet as the token provider.

    Closes-Bug: 1577558
    Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e

This means that if you're using fernet then revocation doesn't work, because we revoke by audit ID.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Does this mean token revocation is broken for all production deployments using fernet tokens? Only affects stable/mitaka, or was the implementation available in any earlier releases as well?

Reviewed: https://review.openstack.org/312582
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee1dc941042d1f71699971c5c30566af1b348572
Submitter: Jenkins
Branch: stable/mitaka

commit ee1dc941042d1f71699971c5c30566af1b348572
Author: Lance Bragstad <email address hidden>
Date: Mon May 2 19:16:11 2016 +0000

    Fix fernet audit ids for v2.0

    The fernet token provider was doing some weird things with audit ids that
    caused token rescoping to not work because audit ids were never pulled from the
    original token. This commit also enables some tests for v2.0 authentication
    with the Fernet as the token provider.

    Closes-Bug: 1577558
    Change-Id: Iffbaf505ef50a6c6d97c5340645acb2f6fda7e0e
    (cherry picked from commit 0d376025bae61bf5ee19d992c7f336b99ac69240)

Proposed impact description -

Title: Incorrect Audit IDs in Keystone Fernet Tokens
Reporter: Lance Bragstad (Rackspace)
Products: OpenStack Kesytone
Affects: Master (Newton), Mitaka

Description:
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. When Keystone was configured to use Fernet tokens, the unique string (audit_id) was not properly maintained during a token rescope (requesting a token for a new project scope using the current token for authentication). This resulted in the inability to revoke entire chain of tokens. The revocation of the chain of tokens. Most revocations are not for the entire chain of tokens. Only Master (Newton) and Mitaka releases of Keystone configured to use Fernet as the Keystone token provider were affected.

2nd Revision impact statement

Title: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
Reporter: Lance Bragstad (Rackspace)
Products: OpenStack Kesytone
Affects: >=9.0.0

Description:
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by it's individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted.

Erm, I think I got the Affects >= incorrect.

Beside the affect line that should be "==9.0.0", the impact description in comment #10 LGTM. Thanks Morgan!

+1 on the impact description. Thanks Morgan!

CVE-2016-4911 has been assigned to this but Launchpad believes it to be invalid.

impact looks fine to me!

@Ian,

I'll look into that tomorrow. That was the number assigned when it was requested. I'll confirm it's not doing something weird. Thanks for pointing it out.

Did this impact liberty?

I don't think this impacts liberty because in liberty the fernet provider was technically still it's *own* provider. When Fernet tokens were originally introduced, the provider inherited the BaseProvider class from keystone.token.providers.common.py but it overrode a lot of the methods provided because it needed to do specific things [0]. This resulted in differences in the token responses depending on if the token being validated was a fernet token or a uuid token. One of the top priorities for the Mitaka release was to consolidate the duplicated methods in the Fernet provider into the BaseProvider. This is where the bug comes from because the Fernet provider had to use a couple hooks in order to pull the attributes needed out of the v2 token request. The logic that pulled the attributes was wrong about audit_ids and it wasn't tested against v2.

I'll pull down the latest liberty branch and test this locally.

[0] https://github.com/openstack/keystone/blob/stable/liberty/keystone/token/providers/fernet/core.py#L41

This doesn't seem to be an issue with liberty. I pulled the latest liberty as of today:

commit 26240963712541d215d414fa71596cccc60dd7ce

I was able to get a token with an audit_id = "8HAaHKMnSxe-wrTTv2RgxA". I rescoped that token and the audit_ids returned in the response contained the original audit_id from the first token:

"audit_ids": [
                "i8OpkdQHSJOgMQVIJgkG9w",
                "8HAaHKMnSxe-wrTTv2RgxA"
            ],

This doesn't seem to apply to liberty (probably because of the reasoning listed in comment #18). The following pastes are the authentication responses from my manual test.

original token: http://paste.openstack.org/show/497523/
rescoped token: http://paste.openstack.org/show/497524/

This issue was fixed in the openstack/keystone 9.0.1 release.

Related fix proposed to branch: master
Review: https://review.openstack.org/320209

Reviewed: https://review.openstack.org/320209
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=c6db6d9d4ab7193fc4d48cd5eaca3c8a0c56a024
Submitter: Jenkins
Branch: master

commit c6db6d9d4ab7193fc4d48cd5eaca3c8a0c56a024
Author: Morgan Fainberg <email address hidden>
Date: Mon May 23 20:48:44 2016 -0700

    Adds OSSA 2016-008 (CVE-2016-4911)

    Change-Id: I35ae3174ce88363c1a2b0b3f8c5beb0a3054d928
    Related-Bug: #1577558

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.