OpenStack Identity (Keystone)

[OSSA-2012-019] token expires time incorrect for auth by one token

Reported by anndy on 2012-11-15
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
High
Russell Bryant
Folsom
High
Thierry Carrez
OpenStack Security Advisory
Undecided
Thierry Carrez
keystone (Ubuntu)
Undecided
Unassigned
Quantal
Undecided
Unassigned

Bug Description

curl -v -XGET -H "X-Auth-Token: ADMIN" http://127.0.0.1:35357/v2.0/tokens/1854c38f436a4980b22b310279e3b773
response(skip something):
       "token": {
            "expires": "2012-11-16T13:24:31Z",
            "id": "1854c38f436a4980b22b310279e3b773"
        },

-------------------
curl -X POST -H "Content-Type: application/json" -d '{"auth": {"token": {"id": "1854c38f436a4980b22b310279e3b773"}, "tenantId": "a2a2c50a344259647880964547228412"}}' http://127.0.0.1:35357/v2.0/tokens | python -mjson.tool
response:
        "token": {
            "expires": "2012-11-16T13:24:31Z",
            "id": "8c1b1343e57e4d24bf2b15013c453ad4",
             ...
        },

---------------------------------------------
curl -v -XGET -H "X-Auth-Token: ADMIN" http://127.0.0.1:35357/v2.0/tokens/8c1b1343e57e4d24bf2b15013c453ad4
response:
        "token": {
            "expires": "2012-11-16T13:34:01Z", (It is not the same.)
            "id": "8c1b1343e57e4d24bf2b15013c453ad4",
        },
--------------------------------------
If someone get a unexpired token id, he can extend use time forever without any password credentials.

anndy (anndymaktub) wrote :
Thierry Carrez (ttx) wrote :

Hmm, I thought that was covered by CVE-2012-3426.
Adding Keystone PTL for discussion.

Dolph Mathews (dolph) on 2012-11-15
Changed in keystone:
importance: Undecided → High
status: New → Confirmed
Dolph Mathews (dolph) wrote :

Confirmed for at least UUID tokens in master branch (as of 240d6b41a04f1d24f9bfe36d4da3a57512bb80de). Current master branch requires a slightly different patch than the above due to recent refactoring, but it's a similar one-liner.

Not clear on the history of this issue yet or if PKI tokens are affected.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
Dolph Mathews (dolph) wrote :

It does not appear that PKI tokens are affected.

Dolph Mathews (dolph) wrote :

Attached patch for master branch that fixes the issue for UUID tokens and tests for the issue using both UUID & PKI tokens. However, the patch also includes an unrelated bugfix allowing for tokens w/o metadata that I'd specifically like ayoung to review and that we may need to track separately.

Dolph Mathews (dolph) wrote :

Patch attached for stable/folsom.

Dolph Mathews (dolph) wrote :

stable/essex does not appear to be affected.

Dolph Mathews (dolph) wrote :

Attached is a backport of the new tests for stable/essex. No fix is necessary.

Joseph Heck (heckj) wrote :

Patch(es) look good - approved from me.

tags: added: folsom-backport
Thierry Carrez (ttx) wrote :

Would prefer if the security patch did not include the additional fix (allowing for tokens w/o metadata) -- Minimal is good from a security patching perspective.

Dolph Mathews (dolph) wrote :

ttx: that's specifically why I mentioned it! Attached is just the fix+test for UUID tokens.

Dolph Mathews (dolph) wrote :

Same patch as above for stable/folsom (fix+test for UUID tokens).

Thierry Carrez (ttx) wrote :

@keystone-core: please validate the latest patches
@anndy: do you have a full name (and optionally company) that we can credit for the discovery of this vulnerability ?

Proposed impact description:

Title: Extension of token validity through token chaining
Reporter: $CREDIT
Products: keystone
Affects: Folsom

Description:
$CREDIT reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support UUID tokens.

Dolph Mathews (dolph) wrote :

@Thierry: "refactored to support UUID tokens." -> "refactored to support PKI tokens"

I have not confirmed that this is true (although it's likely), but I assume this is what you meant ^

Joseph Heck (heckj) wrote :

verified good and test drives the explicit patch so we don't regress this area in the future.

anndy (anndymaktub) wrote :

@Thierry: just Anndy.

Thierry Carrez (ttx) wrote :

Fixed impact description:

Title: Extension of token validity through token chaining
Reporter: Anndy
Products: Keystone
Affects: Folsom

Description:
Anndy reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support PKI tokens.

Russell Bryant (russellb) wrote :

The description sounds good to me. +1

Thierry Carrez (ttx) wrote :

Pushed to downstream stakeholders

Proposed public disclosure date/time:
*Wednesday November 28th, 1500UTC*

Thierry Carrez (ttx) wrote :

CVE-2012-5563

Thierry Carrez (ttx) on 2012-11-28
information type: Private Security → Public Security

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/17050

Changed in keystone:
assignee: Dolph Mathews (dolph) → Russell Bryant (russellb)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/17051
Committed: http://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
Submitter: Jenkins
Branch: master

commit 38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
Author: Dolph Mathews <email address hidden>
Date: Wed Nov 28 10:28:07 2012 -0500

    Ensure token expiration is maintained (bug 1079216)

    Change-Id: I95853ec36e9c4cd937cfac7e08b648e830f9efd0

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/17050
Committed: http://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
Submitter: Jenkins
Branch: stable/folsom

commit f9d4766249a72d8f88d75dcf1575b28dd3496681
Author: Dolph Mathews <email address hidden>
Date: Wed Nov 28 16:28:05 2012 +0100

    Ensure token expiration is maintained

    Ensure token expiration is maintained. Fixes bug 1079216.

    Change-Id: I0ce53f106ab6d95916fdc9797cb9d8bf09132a91

Changed in keystone (Ubuntu):
status: New → Fix Released
Changed in keystone (Ubuntu Quantal):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :
Changed in keystone (Ubuntu Quantal):
status: Confirmed → Fix Released

Hello anndy, or anyone else affected,

Accepted keystone into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Thierry Carrez (ttx) on 2013-01-09
Changed in keystone:
milestone: none → grizzly-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in keystone:
milestone: grizzly-2 → 2013.1
Thierry Carrez (ttx) on 2013-06-07
summary: - token expires time incorrect for auth by one token
+ [OSSA-2012-019] token expires time incorrect for auth by one token
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers