Password Change Doesn't Affirmatively Invalidate Sessions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Low
|
Lin Hua Cheng | ||
Kilo |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Dolph Mathews | ||
Icehouse |
Fix Released
|
Undecided
|
Unassigned | ||
Juno |
Fix Released
|
Low
|
Dolph Mathews | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The password change dialog at /horizon/
<code>
if user_is_editable:
try:
msg = _("Password changed. Please log in again to continue.")
except Exception:
else:
return False
</code>
There are at least two security concerns here:
1) Logout is done by means of an HTTP redirect. Let's say Eve, as MitM, gets ahold of Alice's token somehow. Alice is worried this may have happened, so she changes her password. If Eve suspects that the request is a password-change request (which is the most Eve can do, because we're running over HTTPS, right? Right!?), then it's a simple matter to block the redirect from ever reaching the client, or the redirect request from hitting the server. From Alice's PoV, something weird happened, but her new password works, so she's not bothered. Meanwhile, Alice's old login ticket continues to work.
2) Part of the purpose of changing a password is generally to block those who might already have the password from continuing to use it. A password change should trigger (insofar as is possible) a purging of all active logins/tokens for that user. That does not happen here.
Frankly, I'm not the least bit sure if I've thought of the worst-case scenario(s) for point #1. It just strikes me as very strange not to aggressively/
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in horizon: | |
status: | Incomplete → Triaged |
importance: | Undecided → Low |
assignee: | nobody → Vlad Okhrimenko (vokhrimenko) |
Changed in keystone: | |
milestone: | none → kilo-2 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
status: | Triaged → In Progress |
Changed in horizon: | |
assignee: | Paul Karikh (pkarikh) → Timur Sufiev (tsufiev-x) |
Changed in horizon: | |
assignee: | Timur Sufiev (tsufiev-x) → Paul Karikh (pkarikh) |
Changed in keystone: | |
milestone: | kilo-2 → 2015.1.0 |
Changed in horizon: | |
assignee: | Paul Karikh (pkarikh) → Vlad Okhrimenko (vokhrimenko) |
Changed in horizon: | |
assignee: | Vlad Okhrimenko (vokhrimenko) → Paul Karikh (pkarikh) |
Changed in horizon: | |
assignee: | Paul Karikh (pkarikh) → Lin Hua Cheng (lin-hua-cheng) |
Changed in horizon: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | liberty-3 → 8.0.0 |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.