OpenStack Identity (keystone)

Bug #1490804
Comment #67

Comment 67 for bug 1490804

Revision history for this message

Nathan Kinder (nkinder) wrote on 2015-12-02: Re: PKI Token Revocation Bypass

#67

Tristan - I have the OSSN draft written up, which has been reviewed by a few people from the Security team as well as by Adam Young. If we are also going to provide a fix, I will need to reword a few things in the "recommendations" section. Here is the current draft of the OSSN:

-----
Potential reuse of revoked Identity tokens
---

### Summary ###
An authorization token issued by the Identity service can be revoked,
which is designed to immediately make that token invalid for future use.
When the PKI or PKIZ token formats are used, it is possible for an
attacker to manipulate the token contents of a revoked token such that
the token will still be considered to be valid. This can allow
unauthorized access to cloud resources if a revoked token is intercepted
by an attacker.

### Affected Services / Software ###
Keystone, Icehouse, Juno, Kilo, Liberty

### Discussion ###
Token revocation is used in OpenStack to invalidate a token for further
use. This token revocation takes place automatically in certain
situations, such as when a user logs out of the Dashboard. If a revoked
token is obtained by another party, it should no longer be possible to
use it to perform any actions within the cloud. Unfortuantely, this is
not the case when the PKI or PKIZ token format is used.

When a PKI or PKIZ token is validated, the Identity service checks it
by searching for a revocation by the entire token. It is possible for
an attacker to manipulate portions of an intercepted PKI or PKIZ token
that are not cryptographically protected, which will cause the
revocation check to improperly consider the token to be valid.

### Recommended Actions ###
We recommend that you do not use the PKI or PKIZ token formats. Due to
the way that these formats were designed, it is not possible to fix this
issue in a way that is backwards compatible. The PKI and PKIZ token
formats do not offer any significant benefit over other token formats
such as the UUID or Fernet formats.

If you are using the PKI or PKIZ token format, it is recommended that
you switch to using another supported token format such as the UUID
format. There are no plans to fix this issue in the PKI and PKIZ token
providers in the Identity service.

To check what token provider you are using, you must look in the
'keystone.conf' file for your Identity service. An example is provided
below:

---- begin keystone.conf sample snippet ----
[token]
#provider = keystone.token.providers.pki.Provider
#provider = keystone.token.providers.pkiz.Provider
provider = keystone.token.providers.uuid.Provider
---- end keystone.conf sample snippet ----

This configuration snippet is using the UUID token format. If you are
using either of the commented out settings from this example, your cloud
is vulnerable to this issue and you should switch to a different token
provider.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0061
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1490804
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Tristan - I have the OSSN draft written up, which has been reviewed by a few people from the Security team as well as by Adam Young.  If we are also going to provide a fix, I will need to reword a few things in the "recommendations" section.  Here is the current draft of the OSSN:

-----
Potential reuse of revoked Identity tokens
---

### Summary ###
An authorization token issued by the Identity service can be revoked,
which is designed to immediately make that token invalid for future use.
When the PKI or PKIZ token formats are used, it is possible for an
attacker to manipulate the token contents of a revoked token such that
the token will still be considered to be valid.  This can allow
unauthorized access to cloud resources if a revoked token is intercepted
by an attacker.

### Affected Services / Software ###
Keystone, Icehouse, Juno, Kilo, Liberty

### Discussion ###
Token revocation is used in OpenStack to invalidate a token for further
use.  This token revocation takes place automatically in certain
situations, such as when a user logs out of the Dashboard.  If a revoked
token is obtained by another party, it should no longer be possible to
use it to perform any actions within the cloud.  Unfortuantely, this is
not the case when the PKI or PKIZ token format is used.

When a PKI or PKIZ token is validated, the Identity service checks it
by searching for a revocation by the entire token.  It is possible for
an attacker to manipulate portions of an intercepted PKI or PKIZ token
that are not cryptographically protected, which will cause the
revocation check to improperly consider the token to be valid.

### Recommended Actions ###
We recommend that you do not use the PKI or PKIZ token formats.  Due to
the way that these formats were designed, it is not possible to fix this
issue in a way that is backwards compatible.  The PKI and PKIZ token
formats do not offer any significant benefit over other token formats
such as the UUID or Fernet formats.

If you are using the PKI or PKIZ token format, it is recommended that
you switch to using another supported token format such as the UUID
format.  There are no plans to fix this issue in the PKI and PKIZ token
providers in the Identity service.

To check what token provider you are using, you must look in the
'keystone.conf' file for your Identity service.  An example is provided
below:

This configuration snippet is using the UUID token format.  If you are
using either of the commented out settings from this example, your cloud
is vulnerable to this issue and you should switch to a different token
provider.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0061
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1490804
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg