RandomString may have less entropy than expected

Fix proposed to branch: master
Review: https://review.openstack.org/554745

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

That might be an issue for smaller password length. Is the algorithm still takes into account the "min" attribute of character_classes/character_sequences property?

If this is going to be backported to supported stable branches we could consider issuing an advisory, but even though a 40% strength reduction seems significant the actual brute-force difference between a 229.5-bit and 391-bit secret is going to be purely academic in a vast majority of real-world cases.

Yeah, it's likely only a problem if you (a) set up the character_sequences in strange ways, *and* (b) choose a relatively short password length. (If you have a password length of 66 this is obviously a non-issue - I lifted that example from the test case I wrote, where I chose it because the math worked out easily :)

The "min" properties are correctly taken into account, so no issues there. It's selecting everything else once you've fulfilled the minimum counts that's a problem.

Thanks for the prompt feedback. I suggest we triage this bug as C1 or even D according to VMT taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Yeah, seems like a security hardening opportunity. Probably still worth backporting to supported stable branches if it can be done trivially/unobtrusively without causing backward-incompatibilities but I wouldn't press for any advisory on this one.

Ack, I would concur with that (Class D). The patch is not tiny, but it is very localised so I don't see any obstacles to backporting.

Thanks. In that case I'll just flag it as a security hardening opportunity. We can revisit that and issue an advisory if new issues come to light suggesting it's more serious than we think.

Reviewed: https://review.openstack.org/554745
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=6e16c051ba9c2fc409c82fda19467d9ee1aaf484
Submitter: Zuul
Branch: master

commit 6e16c051ba9c2fc409c82fda19467d9ee1aaf484
Author: Zane Bitter <email address hidden>
Date: Tue Mar 20 20:48:38 2018 -0400

    Fix entropy problems with OS::Random::String

    When generating a random string, once we had selected from the various
    required pools, we continued by selecting a pool at random and then
    selecting a character from that pool at random. This did not take into
    account the differing sizes of the available pools, nor the fact that the
    same character could appear in multiple pools, which resulted in a
    non-uniform probability distribution of characters. Since users mostly make
    use of this feature to generate default passwords for services they are
    deploying, this would result in the generated passwords having slightly
    less entropy than expected (and pathological cases were possible).

    Rectify this by always selecting non-constrained characters from a single
    combined pool, and by ensuring that each character appears only once in any
    pool we're selecting from.

    Since we also want to use this method to generate passwords for OpenStack
    Users, the new implementation is in a separate module in heat.common rather
    than mixed in with the resource's logic. Also, use a StringIO object to
    collect the characters rather than repeatedly appending to a string.

    Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b
    Closes-Bug: #1757300
    Related-Bug: #1666129
    Related-Bug: #1444429

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/555859

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/555905

Reviewed: https://review.openstack.org/555859
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=8437ec3fce1fe742cceadb10982ab870dceb0e98
Submitter: Zuul
Branch: stable/queens

commit 8437ec3fce1fe742cceadb10982ab870dceb0e98
Author: Zane Bitter <email address hidden>
Date: Tue Mar 20 20:48:38 2018 -0400

    Fix entropy problems with OS::Random::String

    When generating a random string, once we had selected from the various
    required pools, we continued by selecting a pool at random and then
    selecting a character from that pool at random. This did not take into
    account the differing sizes of the available pools, nor the fact that the
    same character could appear in multiple pools, which resulted in a
    non-uniform probability distribution of characters. Since users mostly make
    use of this feature to generate default passwords for services they are
    deploying, this would result in the generated passwords having slightly
    less entropy than expected (and pathological cases were possible).

    Rectify this by always selecting non-constrained characters from a single
    combined pool, and by ensuring that each character appears only once in any
    pool we're selecting from.

    Since we also want to use this method to generate passwords for OpenStack
    Users, the new implementation is in a separate module in heat.common rather
    than mixed in with the resource's logic. Also, use a StringIO object to
    collect the characters rather than repeatedly appending to a string.

    Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b
    Closes-Bug: #1757300
    Related-Bug: #1666129
    Related-Bug: #1444429
    (cherry picked from commit 6e16c051ba9c2fc409c82fda19467d9ee1aaf484)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/559188

Reviewed: https://review.openstack.org/555905
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=a08893dc865ab5fd39c013fe727f7cbf267583ad
Submitter: Zuul
Branch: stable/pike

commit a08893dc865ab5fd39c013fe727f7cbf267583ad
Author: Zane Bitter <email address hidden>
Date: Tue Mar 20 20:48:38 2018 -0400

    Fix entropy problems with OS::Random::String

    When generating a random string, once we had selected from the various
    required pools, we continued by selecting a pool at random and then
    selecting a character from that pool at random. This did not take into
    account the differing sizes of the available pools, nor the fact that the
    same character could appear in multiple pools, which resulted in a
    non-uniform probability distribution of characters. Since users mostly make
    use of this feature to generate default passwords for services they are
    deploying, this would result in the generated passwords having slightly
    less entropy than expected (and pathological cases were possible).

    Rectify this by always selecting non-constrained characters from a single
    combined pool, and by ensuring that each character appears only once in any
    pool we're selecting from.

    Since we also want to use this method to generate passwords for OpenStack
    Users, the new implementation is in a separate module in heat.common rather
    than mixed in with the resource's logic. Also, use a StringIO object to
    collect the characters rather than repeatedly appending to a string.

    Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b
    Closes-Bug: #1757300
    Related-Bug: #1666129
    Related-Bug: #1444429
    (cherry picked from commit 6e16c051ba9c2fc409c82fda19467d9ee1aaf484)

This issue was fixed in the openstack/heat 11.0.0.0b1 development milestone.

This issue was fixed in the openstack/heat 10.0.1 release.

Reviewed: https://review.openstack.org/559188
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=8ce005cc0e309938f9d0fbdae65c92a406348936
Submitter: Zuul
Branch: stable/ocata

commit 8ce005cc0e309938f9d0fbdae65c92a406348936
Author: Zane Bitter <email address hidden>
Date: Tue Mar 20 20:48:38 2018 -0400

    Fix entropy problems with OS::Random::String

    When generating a random string, once we had selected from the various
    required pools, we continued by selecting a pool at random and then
    selecting a character from that pool at random. This did not take into
    account the differing sizes of the available pools, nor the fact that the
    same character could appear in multiple pools, which resulted in a
    non-uniform probability distribution of characters. Since users mostly make
    use of this feature to generate default passwords for services they are
    deploying, this would result in the generated passwords having slightly
    less entropy than expected (and pathological cases were possible).

    Rectify this by always selecting non-constrained characters from a single
    combined pool, and by ensuring that each character appears only once in any
    pool we're selecting from.

    Since we also want to use this method to generate passwords for OpenStack
    Users, the new implementation is in a separate module in heat.common rather
    than mixed in with the resource's logic. Also, use a StringIO object to
    collect the characters rather than repeatedly appending to a string.

    Change-Id: Ia7b63e72c1e3c0649290caf4fea8a32f7f89560b
    Closes-Bug: #1757300
    Related-Bug: #1666129
    Related-Bug: #1444429
    (cherry picked from commit 6e16c051ba9c2fc409c82fda19467d9ee1aaf484)

This issue was fixed in the openstack/heat 8.0.7 release.

This issue was fixed in the openstack/heat 9.0.5 release.