[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)

Bug #1348820 reported by Lance Bragstad on 2014-07-25
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Brant Knudson
Icehouse
High
Brant Knudson
OpenStack Security Advisory
High
Tristan Cacqueray

Bug Description

Steps to recreate

1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf

2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4

Notice that the 'issued_at' time of the token has changed.

3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt

The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.

This is because the issued_at time is being overwritten on GET here: https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319

This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist.

description: updated
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/109747

Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
status: New → In Progress
Changed in keystone:
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/109757

Changed in keystone:
assignee: Brant Knudson (blk-u) → Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Brant Knudson (blk-u)

Reviewed: https://review.openstack.org/109602
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=556fb860311675fc437585651e4602b2908451eb
Submitter: Jenkins
Branch: master

commit 556fb860311675fc437585651e4602b2908451eb
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 09:14:14 2014 -0500

    Add tests related to V2 token issued_at time changing

    There was no test that showed that when a V2 token is used in a V3
    context its "issued_at" time changes. This affects validating a V2
    token using V3 and also revoking a V2 token. The tests show the
    current incorrect behavior.

    Partial-Bug: #1348820

    Change-Id: I2a3443847b2699384413933ae164fdc183aa110f

The fix for this requires the following commits:

https://review.openstack.org/#/c/109747/ - Fix for V2 token issued_at time changing
https://review.openstack.org/#/c/109602/ - Add tests related to V2 token issued_at time changing

Changed in keystone:
milestone: none → juno-3
importance: Medium → High
Brant Knudson (blk-u) wrote :

This is a security vulnerability since tokens aren't getting revoked as they should be.

information type: Public → Public Security

Reviewed: https://review.openstack.org/109747
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a4c73e4382cb062aa9f30fe1960d5014d3c49cc2
Submitter: Jenkins
Branch: master

commit a4c73e4382cb062aa9f30fe1960d5014d3c49cc2
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 16:26:38 2014 -0500

    Fix for V2 token issued_at time changing

    When the server converted a V2 token to a V3 token it regenerated
    the issued_at time.

    This was causing the server to return a different issued_at time
    when a V2 token was validated using the V3 API.

    This was causing the server to fail to revoke a V2 token if it was
    revoked before validating it first because the regenerated token was
    considered to be after the revocation event.

    Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
    Closes-Bug: #1348820

Changed in keystone:
status: In Progress → Fix Committed

@Brant, just to clarify, repeat call to "/v3/auth/tokens/ GET api" will prevent a token to expire ?

It seems to impact havana and icehouse too right ?

Changed in ossa:
status: New → Incomplete
Brant Knudson (blk-u) wrote :

@Tristan - I believe the issue here is that if you're attempting to validate a v2 token (that you got with a POST /v2.0/tokens) using the v3 API (using HEAD or HEAD /v3/auth/tokens) and Keystone is configured to use revocation events, the token will never be reported as expired.

So you've got your system configured to use revocation events and UUID tokens. You've disabled token caching in the auth_token middleware. Somebody gets a V2 token and uses it with Nova, etc. The auth_token middleware is validating the token and it always comes back as valid, never expired, even after the token expiration time.

This would only impact Icehouse since that's where revocation events were added.

Thierry Carrez (ttx) wrote :

Sounds valid to me

Changed in ossa:
importance: Undecided → High
status: Incomplete → Confirmed
Thierry Carrez (ttx) wrote :

@Brant: could you propose an icehouse backport ? We could try to sneak it in 2014.1.2 planned for later this week...

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)

Here is proposed impact description draft #1:

Title: UUID v2 tokens does not expire with revocation events
Reporter: Lance Bragstad (Rackspace)
Products: Keystone
Versions: 2014.1.1

Description:
Lance Bragstad from Rackspace reported a vulnerability in Keystone V2 token support. By creating a token using the V2 API, a user may circumvent expiration time and evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected.

Brant Knudson (blk-u) wrote :

Regarding the impact description in comment 12,

change "a user may circumvent expiration time and evade token revocation" to just "a user may evade token revocation".

change "wrongly" to "incorrectly".

@Brant, thanks for corrections!

We are going to handle the OSSA task within this report: https://launchpad.net/bugs/1347961

Reviewed: https://review.openstack.org/112082
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c34e79ae9ea243d27142d473e4c9c5c258e71df
Submitter: Jenkins
Branch: stable/icehouse

commit 0c34e79ae9ea243d27142d473e4c9c5c258e71df
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 09:14:14 2014 -0500

    Add tests related to V2 token issued_at time changing

    There was no test that showed that when a V2 token is used in a V3
    context its "issued_at" time changes. This affects validating a V2
    token using V3 and also revoking a V2 token. The tests show the
    current incorrect behavior.

    Partial-Bug: #1348820

    Change-Id: I2a3443847b2699384413933ae164fdc183aa110f
    (cherry picked from commit 556fb860311675fc437585651e4602b2908451eb)

tags: added: in-stable-icehouse

Reviewed: https://review.openstack.org/111772
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
Submitter: Jenkins
Branch: stable/icehouse

commit bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 16:26:38 2014 -0500

    Fix for V2 token issued_at time changing

    When the server converted a V2 token to a V3 token it regenerated
    the issued_at time.

    This was causing the server to return a different issued_at time
    when a V2 token was validated using the V3 API.

    This was causing the server to fail to revoke a V2 token if it was
    revoked before validating it first because the regenerated token was
    considered to be after the revocation event.

    Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
    Closes-Bug: #1348820
    (cherry picked from commit a4c73e4382cb062aa9f30fe1960d5014d3c49cc2)

Thierry Carrez (ttx) on 2014-08-07
Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx) on 2014-08-11
Changed in ossa:
status: Triaged → In Progress
summary: Token issued_at time changes on /v3/auth/token GET requests
+ (CVE-2014-5252)
summary: - Token issued_at time changes on /v3/auth/token GET requests
- (CVE-2014-5252)
+ [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET
+ requests (CVE-2014-5252)
Changed in ossa:
status: In Progress → Fix Released

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/109757

Thierry Carrez (ttx) on 2014-09-04
Changed in keystone:
status: Fix Committed → Fix Released

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx) on 2014-10-16
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers