OpenStack Identity (keystone)

[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)

Bug #1348820 reported by Lance Bragstad on 2014-07-25

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	High	Brant Knudson	OpenStack Identity (keystone) 2014.2 "juno"
Icehouse	Fix Released	High	Brant Knudson	OpenStack Identity (keystone) 2014.1.2
OpenStack Security Advisory	Fix Released	High	Tristan Cacqueray

Bug Description

Steps to recreate

1.) Generate a v2.0
token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf

2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4

Notice that the 'issued_at' time of the token has changed.

3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt

The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.

This is because the issued_at time is being overwritten on GET here: https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319

This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist.

See original description

Tags:

Lance Bragstad (lbragstad) on 2014-07-25

description:	updated
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-25: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/109747

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)
status:	New → In Progress

Lance Bragstad (lbragstad) on 2014-07-25

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-25:

Fix proposed to branch: master
Review: https://review.openstack.org/109757

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Lance Bragstad (lbragstad)

Lance Bragstad (lbragstad) on 2014-07-28

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-28: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109602
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=556fb860311675fc437585651e4602b2908451eb
Submitter: Jenkins
Branch: master

commit 556fb860311675fc437585651e4602b2908451eb
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 09:14:14 2014 -0500

Add tests related to V2 token issued_at time changing

    There was no test that showed that when a V2 token is used in a V3
    context its "issued_at" time changes. This affects validating a V2
    token using V3 and also revoking a V2 token. The tests show the
    current incorrect behavior.

Partial-Bug: #1348820

Change-Id: I2a3443847b2699384413933ae164fdc183aa110f

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-07-28: Re: Token issued_at time changes on /v3/auth/token GET requests

The fix for this requires the following commits:

https://review.openstack.org/#/c/109747/ - Fix for V2 token issued_at time changing
https://review.openstack.org/#/c/109602/ - Add tests related to V2 token issued_at time changing

Changed in keystone:
milestone:	none → juno-3
importance:	Medium → High

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-07-28:

This is a security vulnerability since tokens aren't getting revoked as they should be.

information type:

Public → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-29: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109747
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a4c73e4382cb062aa9f30fe1960d5014d3c49cc2
Submitter: Jenkins
Branch: master

commit a4c73e4382cb062aa9f30fe1960d5014d3c49cc2
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 16:26:38 2014 -0500

Fix for V2 token issued_at time changing

When the server converted a V2 token to a V3 token it regenerated
the issued_at time.

This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.

    This was causing the server to fail to revoke a V2 token if it was
    revoked before validating it first because the regenerated token was
    considered to be after the revocation event.

Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
Closes-Bug: #1348820

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-07-30: Re: Token issued_at time changes on /v3/auth/token GET requests

@Brant, just to clarify, repeat call to "/v3/auth/tokens/ GET api" will prevent a token to expire ?

It seems to impact havana and icehouse too right ?

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-07-30:

@Tristan - I believe the issue here is that if you're attempting to validate a v2 token (that you got with a POST /v2.0/tokens) using the v3 API (using HEAD or HEAD /v3/auth/tokens) and Keystone is configured to use revocation events, the token will never be reported as expired.

So you've got your system configured to use revocation events and UUID tokens. You've disabled token caching in the auth_token middleware. Somebody gets a V2 token and uses it with Nova, etc. The auth_token middleware is validating the token and it always comes back as valid, never expired, even after the token expiration time.

This would only impact Icehouse since that's where revocation events were added.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-07-31:

Sounds valid to me

Changed in ossa:
importance:	Undecided → High
status:	Incomplete → Confirmed

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-08-04:

#10

@Brant: could you propose an icehouse backport ? We could try to sneak it in 2014.1.2 planned for later this week...

Tristan Cacqueray (tristan-cacqueray) on 2014-08-04

Changed in ossa:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-04: Fix proposed to keystone (stable/icehouse)

#11

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/111772

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-08-04: Re: Token issued_at time changes on /v3/auth/token GET requests

#12

Here is proposed impact description draft #1:

Title: UUID v2 tokens does not expire with revocation events
Reporter: Lance Bragstad (Rackspace)
Products: Keystone
Versions: 2014.1.1

Description:
Lance Bragstad from Rackspace reported a vulnerability in Keystone V2 token support. By creating a token using the V2 API, a user may circumvent expiration time and evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected.

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-08-04:

#13

Regarding the impact description in comment 12,

change "a user may circumvent expiration time and evade token revocation" to just "a user may evade token revocation".

change "wrongly" to "incorrectly".

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-08-04:

#14

@Brant, thanks for corrections!

We are going to handle the OSSA task within this report: https://launchpad.net/bugs/1347961

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-05: Fix proposed to keystone (stable/icehouse)

#15

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112082

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-07: Fix merged to keystone (stable/icehouse)

#16

Reviewed: https://review.openstack.org/112082
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c34e79ae9ea243d27142d473e4c9c5c258e71df
Submitter: Jenkins
Branch: stable/icehouse

commit 0c34e79ae9ea243d27142d473e4c9c5c258e71df
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 09:14:14 2014 -0500

Add tests related to V2 token issued_at time changing

Partial-Bug: #1348820

Change-Id: I2a3443847b2699384413933ae164fdc183aa110f
(cherry picked from commit 556fb860311675fc437585651e4602b2908451eb)

tags:

added: in-stable-icehouse

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-07:

#17

Reviewed: https://review.openstack.org/111772
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
Submitter: Jenkins
Branch: stable/icehouse

commit bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
Author: Brant Knudson <email address hidden>
Date: Fri Jul 25 16:26:38 2014 -0500

Fix for V2 token issued_at time changing

When the server converted a V2 token to a V3 token it regenerated
the issued_at time.

This was causing the server to return a different issued_at time
when a V2 token was validated using the V3 API.

    This was causing the server to fail to revoke a V2 token if it was
    revoked before validating it first because the regenerated token was
    considered to be after the revocation event.

    Change-Id: I71fea3253295ee8794fb2c8211e1f030de3ae205
    Closes-Bug: #1348820
    (cherry picked from commit a4c73e4382cb062aa9f30fe1960d5014d3c49cc2)

Thierry Carrez (ttx) on 2014-08-07

Changed in ossa:
status:	Confirmed → Triaged

Thierry Carrez (ttx) on 2014-08-11

Changed in ossa:
status:	Triaged → In Progress

Tristan Cacqueray (tristan-cacqueray) on 2014-08-15

summary:

Token issued_at time changes on /v3/auth/token GET requests
+ (CVE-2014-5252)

Tristan Cacqueray (tristan-cacqueray) on 2014-08-15

summary:	- Token issued_at time changes on /v3/auth/token GET requests - (CVE-2014-5252) + [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET + requests (CVE-2014-5252)
Changed in ossa:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-27: Change abandoned on keystone (master)

#18

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/109757

Thierry Carrez (ttx) on 2014-09-04

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Fix proposed to keystone (master)

#19

Fix proposed to branch: master
Review: https://review.openstack.org/121711

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15: Change abandoned on keystone (master)

#20

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.