Fuel for OpenStack

TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication (Cobbler, TCP port 443)

Bug #1646761 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
Low
Sergii Rizvan
Fuel for OpenStack 12.0
Nominated for Ocata by Sergii Rizvan
Nominated for Pike by Sergii Rizvan
7.0.x
Fix Released
Low
Sergii Rizvan
Fuel for OpenStack 7.0-mu-8
8.0.x
Fix Released
Low
Sergii Rizvan
Fuel for OpenStack 8.0-mu-4
Mitaka
Fix Released
Low
Sergii Rizvan
Fuel for OpenStack 9.2-mu-2
Newton
Fix Committed
Low
Sergii Rizvan
Fuel for OpenStack 10.1

Bug Description

Detailed bug description:
The server is configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks.

Steps to reproduce:
Negotiated with the following insecure cipher suites:
    * TLS 1.0 ciphers:
       * TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_128_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    * TLS 1.1 ciphers:
       * TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_128_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    * TLS 1.2 ciphers:
       * TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_128_CBC_SHA

       * TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Expected results:
The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.

Refer to your server vendor documentation to apply the recommended cipher configuration:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA3

Adam Heczko (aheczko-mirantis)
Changed in fuel:
assignee: nobody → MOS Maintenance (mos-maintenance)
Adam Heczko (aheczko-mirantis)
summary: TLS/SSL Server Supports Anonymous Cipher Suites with no Key
- Authentication (Cobbler)
+ Authentication (Cobbler, TCP port 443)
Sergii Rizvan (srizvan)
Changed in fuel:
assignee: MOS Maintenance (mos-maintenance) → Sergii Rizvan (srizvan)
Sergii Rizvan (srizvan)
Changed in fuel:
milestone: 8.0-mu-4 → 12.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/452144

Changed in fuel:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/453109

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/453111

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/453561

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/453562

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/7.0)

Fix proposed to branch: stable/7.0
Review: https://review.openstack.org/453564

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/8.0)

Reviewed: https://review.openstack.org/453562
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=42ebf728a89f3ee885743d5a12dd765f9f06b52c
Submitter: Jenkins
Branch: stable/8.0

commit 42ebf728a89f3ee885743d5a12dd765f9f06b52c
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/453561
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=0594f862d61d1f4763f5f825b66aad350d116e05
Submitter: Jenkins
Branch: stable/mitaka

commit 0594f862d61d1f4763f5f825b66aad350d116e05
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/7.0)

Reviewed: https://review.openstack.org/453564
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=f74b7243f0b1f0e737b5c2a7b28ec47a702c6cdb
Submitter: Jenkins
Branch: stable/7.0

commit f74b7243f0b1f0e737b5c2a7b28ec47a702c6cdb
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/452144
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=7261e43577da1db39744c64ee0c37f2121182c1e
Submitter: Jenkins
Branch: master

commit 7261e43577da1db39744c64ee0c37f2121182c1e
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 8.0 mu4 updates.
Before there were some broken ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
 ...
|_ least strength: broken
 After updates:
|_ least strength: strong
 https://paste.mirantis.net/show/11317/

Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 7.0 mu8 updates.
Checked that all ciphers are strong:
|_ least strength: strong

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/ocata)

Reviewed: https://review.openstack.org/453109
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c8f0798a1079e098d9da83273c5ad53755fbcaf2
Submitter: Jenkins
Branch: stable/ocata

commit c8f0798a1079e098d9da83273c5ad53755fbcaf2
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

tags: added: in-stable-ocata
TatyanaGladysheva (tgladysheva)
tags: added: on-verification
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/newton)

Reviewed: https://review.openstack.org/453111
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=7875c960ac700c626770331b22c906127720d043
Submitter: Jenkins
Branch: stable/newton

commit 7875c960ac700c626770331b22c906127720d043
Author: Sergii Rizvan <email address hidden>
Date: Fri Mar 31 13:44:55 2017 +0300

    Exclude anonymous cipher suites from Cobbler SSL configuration

    The server used to be configured to support anonymous cipher suites
    with no key authentication. These ciphers are highly vulnerable
    to man in the middle attacks.

    New configuration applies only strong cipher suites on SSL server.

    Change-Id: I8ecac040a77614fd78188995a873b85c94781411
    Closes-Bug: #1646761

Revision history for this message
TatyanaGladysheva (tgladysheva) wrote :

Verified on 9.2 + mu2 updates.

Checked that all ciphers are strong:
http://paste.openstack.org/show/609740/

tags: removed: on-verification
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/fuel-library ocata-eol

This issue was fixed in the openstack/fuel-library ocata-eol release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.