OpenStack Identity (keystone)

Bug #1855080
Comment #14

Comment 14 for bug 1855080

Revision history for this message

Daniel 'f0o' Preussker (dpreussker) wrote on 2019-12-05: Re: [Bug 1855080] Re: Credentials API allows listing and retrieving of all user's credentials

#14

No. I'm not affiliated with any organisation in this regard. Just like the Octavia OSSA haha.

Thanks for asking tho :)

On December 5, 2019 5:57:21 PM UTC, Jeremy Stanley <email address hidden> wrote:
>Daniel, is there any organization you want credited along with you for
>reporting this defect?
>
>Gage, I think the use of "user's" in the title (copied from the report
>itself) incorrectly suggests that a user only has access to credentials
>for their own user rather than, as the description explains, for all
>users in that project. Instead maybe try "Credentials API allows
>listing
>and retrieving of project credentials" or something like that? As for
>the affects line, assuming this problem was only introduced in Stein,
>you want "==15.0.0, ==16.0.0" (wow, were there really no stable/stein
>point releases?!?) or alternatively ">=15.0.0 <15.0.1, >=16.0.0
><16.0.1"
>to accurately reflect that any point releases will contain the fix.
>
>--
>You received this bug notification because you are subscribed to the
>bug
>report.
>https://bugs.launchpad.net/bugs/1855080
>
>Title:
> Credentials API allows listing and retrieving of all user's
> credentials
>
>Status in OpenStack Identity (keystone):
> In Progress
>Status in OpenStack Security Advisory:
> Confirmed
>Status in keystone package in Ubuntu:
> New
>
>Bug description:
> Tested against Stein and Train.
>
> # User creating a credential, i.e totp or similar
> $ OS_CLOUD=1 openstack token issue
> | project_id | c3caf1b55bb84b78a795fd81838e5160
> | user_id | 9971b0f13d2d4a578212d028a53c3209
>$ OS_CLOUD=1 openstack credential create --type test
>9971b0f13d2d4a578212d028a53c3209 test-data
> $ OS_CLOUD=1 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID | Type | User ID
> | Data | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
> # Different User but same Project
> $ OS_CLOUD=2 openstack token issue
> | project_id | c3caf1b55bb84b78a795fd81838e5160
> | user_id | 6b28a0b073fc4ac7843f33190ebc5c3c
> $ OS_CLOUD=2 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID | Type | User ID
> | Data | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
> # Different User and Different Project
> $ OS_CLOUD=3 openstack token issue
> | project_id | d43f20ae5a7e4f36b701710277384401
> | user_id | 2e48f1a7d1474391a826a2b9700e5949
> $ OS_CLOUD=3 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID | Type | User ID
> | Data | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
> As shown anyone who's authenticated can retrieve any credentials
> including their 'secret'.
>
> This is a rather severe information disclosure vulnerability and
> completely defies the purpose of TOTP or MFA as these credentials are
> not kept secure or private whatsoever.
>
> If Auth-rules are configured allow login with only 'topt' it would be
> extremely easy to assume a different user's identity.
>
> A CVE should be issued for this. I can take care of that paperwork.
>
> Versions affected and tested:
>
> Train/ubuntu:
> $ dpkg -l | grep keystone
>ii keystone 2:16.0.0-0ubuntu1~cloud0
> all OpenStack identity service - Daemons
>ii keystone-common 2:16.0.0-0ubuntu1~cloud0
> all OpenStack identity service - Common files
>ii python-keystoneauth1 3.13.1-0ubuntu1~cloud0
>all authentication library for OpenStack Identity - Python 2.7
>ii python-keystoneclient 1:3.19.0-0ubuntu1~cloud0
>all client library for the OpenStack Keystone API - Python 2.x
>ii python-keystonemiddleware 6.0.0-0ubuntu1~cloud0
> all Middleware for OpenStack Identity (Keystone) - Python 2.x
>ii python3-keystone 2:16.0.0-0ubuntu1~cloud0
> all OpenStack identity service - Python 3 library
>ii python3-keystoneauth1 3.17.1-0ubuntu1~cloud0
>all authentication library for OpenStack Identity - Python 3.x
>ii python3-keystoneclient 1:3.21.0-0ubuntu1~cloud0
>all client library for the OpenStack Keystone API - Python 3.x
>ii python3-keystonemiddleware 7.0.1-0ubuntu1~cloud0
> all Middleware for OpenStack Identity (Keystone) - Python 3.x
>
> Stein/RHEL:
> $ rpm -qa | grep keystone
> python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch
> openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
> python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch
>python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch
> python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

No. I'm not affiliated with any organisation in this regard. Just like the Octavia OSSA haha.

Thanks for asking tho :)

On December 5, 2019 5:57:21 PM UTC, Jeremy Stanley <fungi@yuggoth.org> wrote:
>Daniel, is there any organization you want credited along with you for
>reporting this defect?
>
>Gage, I think the use of "user's" in the title (copied from the report
>itself) incorrectly suggests that a user only has access to credentials
>for their own user rather than, as the description explains, for all
>users in that project. Instead maybe try "Credentials API allows
>listing
>and retrieving of project credentials" or something like that? As for
>the affects line, assuming this problem was only introduced in Stein,
>you want "==15.0.0, ==16.0.0" (wow, were there really no stable/stein
>point releases?!?) or alternatively ">=15.0.0 <15.0.1, >=16.0.0
><16.0.1"
>to accurately reflect that any point releases will contain the fix.
>
>-- 
>You received this bug notification because you are subscribed to the
>bug
>report.
>https://bugs.launchpad.net/bugs/1855080
>
>Title:
>  Credentials API allows listing and retrieving of all user's
>  credentials
>
>Status in OpenStack Identity (keystone):
>  In Progress
>Status in OpenStack Security Advisory:
>  Confirmed
>Status in keystone package in Ubuntu:
>  New
>
>Bug description:
>  Tested against Stein and Train.
>
>  # User creating a credential, i.e totp or similar
>  $ OS_CLOUD=1 openstack token issue
>  | project_id | c3caf1b55bb84b78a795fd81838e5160
>  | user_id    | 9971b0f13d2d4a578212d028a53c3209
>$ OS_CLOUD=1 openstack credential create --type test
>9971b0f13d2d4a578212d028a53c3209 test-data
>  $ OS_CLOUD=1 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID                               | Type | User ID                    
>     | Data      | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
>  # Different User but same Project
>  $ OS_CLOUD=2 openstack token issue
>  | project_id | c3caf1b55bb84b78a795fd81838e5160
>  | user_id    | 6b28a0b073fc4ac7843f33190ebc5c3c
>  $ OS_CLOUD=2 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID                               | Type | User ID                    
>     | Data      | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
>  # Different User and Different Project
>  $ OS_CLOUD=3 openstack token issue
>  | project_id | d43f20ae5a7e4f36b701710277384401
>  | user_id    | 2e48f1a7d1474391a826a2b9700e5949
>  $ OS_CLOUD=3 openstack credential list
>+----------------------------------+------+----------------------------------+-----------+------------+
>| ID                               | Type | User ID                    
>     | Data      | Project ID |
>+----------------------------------+------+----------------------------------+-----------+------------+
>| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test |
>9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
>+----------------------------------+------+----------------------------------+-----------+------------+
>
>  As shown anyone who's authenticated can retrieve any credentials
>  including their 'secret'.
>
>  This is a rather severe information disclosure vulnerability and
>  completely defies the purpose of TOTP or MFA as these credentials are
>  not kept secure or private whatsoever.
>
>  If Auth-rules are configured allow login with only 'topt' it would be
>  extremely easy to assume a different user's identity.
>
>  A CVE should be issued for this. I can take care of that paperwork.
>
>  Versions affected and tested:
>
>  Train/ubuntu:
>  $ dpkg -l | grep keystone
>ii  keystone                             2:16.0.0-0ubuntu1~cloud0      
>                      all          OpenStack identity service - Daemons
>ii  keystone-common                      2:16.0.0-0ubuntu1~cloud0      
>                 all          OpenStack identity service - Common files
>ii  python-keystoneauth1                 3.13.1-0ubuntu1~cloud0        
>all          authentication library for OpenStack Identity - Python 2.7
>ii  python-keystoneclient                1:3.19.0-0ubuntu1~cloud0      
>all          client library for the OpenStack Keystone API - Python 2.x
>ii  python-keystonemiddleware            6.0.0-0ubuntu1~cloud0         
> all          Middleware for OpenStack Identity (Keystone) - Python 2.x
>ii  python3-keystone                     2:16.0.0-0ubuntu1~cloud0      
>             all          OpenStack identity service - Python 3 library
>ii  python3-keystoneauth1                3.17.1-0ubuntu1~cloud0        
>all          authentication library for OpenStack Identity - Python 3.x
>ii  python3-keystoneclient               1:3.21.0-0ubuntu1~cloud0      
>all          client library for the OpenStack Keystone API - Python 3.x
>ii  python3-keystonemiddleware           7.0.1-0ubuntu1~cloud0         
> all          Middleware for OpenStack Identity (Keystone) - Python 3.x
>
>  Stein/RHEL:
>  $ rpm -qa | grep keystone
>  python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch
>  openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
>  python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch
>python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch
>  python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.