2020-04-14 15:07:01 |
kay |
bug |
|
|
added bug |
2020-04-14 15:14:48 |
kay |
description |
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keyston using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
|
2020-04-14 15:45:15 |
Jeremy Stanley |
description |
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past $NINETY_DAYS and will be made
public by or on that date if no fix is identified.
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
|
2020-04-14 15:45:38 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2020-04-14 15:45:50 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2020-04-14 15:47:26 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past $NINETY_DAYS and will be made
public by or on that date if no fix is identified.
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-07-13 and will be made
public by or on that date if no fix is identified.
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
|
2020-04-14 15:47:38 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
2020-04-17 00:12:37 |
Colleen Murphy |
attachment added |
|
0001-Check-timestamp-of-signed-EC2-token-request.patch https://bugs.launchpad.net/keystone/+bug/1872737/+attachment/5355816/+files/0001-Check-timestamp-of-signed-EC2-token-request.patch |
|
2020-04-17 17:34:29 |
Colleen Murphy |
attachment added |
|
0001-Check-timestamp-of-signed-EC2-token-request.patch https://bugs.launchpad.net/keystone/+bug/1872737/+attachment/5356255/+files/0001-Check-timestamp-of-signed-EC2-token-request.patch |
|
2020-04-17 17:35:44 |
Colleen Murphy |
keystone: status |
New |
In Progress |
|
2020-04-17 17:35:48 |
Colleen Murphy |
keystone: importance |
Undecided |
Medium |
|
2020-04-17 17:35:51 |
Colleen Murphy |
keystone: assignee |
|
Colleen Murphy (krinkle) |
|
2020-04-21 17:06:24 |
Colleen Murphy |
keystone: milestone |
|
ussuri-rc1 |
|
2020-04-22 03:56:00 |
Colleen Murphy |
attachment added |
|
0001-Check-timestamp-of-signed-EC2-token-request.patch https://bugs.launchpad.net/keystone/+bug/1872737/+attachment/5357807/+files/0001-Check-timestamp-of-signed-EC2-token-request.patch |
|
2020-04-22 03:56:26 |
Colleen Murphy |
attachment added |
|
bug-1872737.2.diff https://bugs.launchpad.net/keystone/+bug/1872737/+attachment/5357808/+files/bug-1872737.2.diff |
|
2020-04-28 18:34:01 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-07-13 and will be made
public by or on that date if no fix is identified.
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
AWS Signature V4 has a limited TTL for a token signature, used to perform an authenticated request, usually it is 5 minutes. If there is a MITM possible, then an attacker can use a sniffed header only within 5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can sniff an auth header, this header can be used an unlimited number of times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against keystone using ec2 credentials. If you set a timestamp (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions) to "time.Time{}" here: https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40, keystone will identify this token as a valid one and return a valid openstack token. |
|
2020-04-28 18:34:07 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2020-04-30 20:22:27 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
2020-05-02 02:46:09 |
OpenStack Infra |
tags |
|
in-stable-ussuri |
|
2020-05-03 07:54:56 |
OpenStack Infra |
tags |
in-stable-ussuri |
in-stable-train in-stable-ussuri |
|
2020-05-04 06:14:40 |
OpenStack Infra |
tags |
in-stable-train in-stable-ussuri |
in-stable-stein in-stable-train in-stable-ussuri |
|
2020-05-04 11:56:15 |
Maurice Escher |
bug |
|
|
added subscriber Maurice Escher |
2020-05-06 14:58:41 |
Gage Hugo |
ossa: assignee |
|
Gage Hugo (gagehugo) |
|
2020-05-06 15:17:27 |
Gage Hugo |
summary |
Keystone doesn't check signature TTL of the EC2 credential auth method |
[OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method |
|
2020-05-06 15:17:58 |
Gage Hugo |
summary |
[OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method |
[OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE PENDING) |
|
2020-05-06 18:07:15 |
Jeremy Stanley |
ossa: status |
Incomplete |
In Progress |
|
2020-05-07 23:17:20 |
Nick Tait |
cve linked |
|
2020-12692 |
|
2020-05-12 04:59:00 |
OpenStack Infra |
tags |
in-stable-stein in-stable-train in-stable-ussuri |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-05-12 05:09:13 |
Gage Hugo |
summary |
[OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE PENDING) |
[OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE-2020-12692) |
|
2020-05-14 00:56:32 |
OpenStack Infra |
tags |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-06-02 20:26:24 |
OpenStack Infra |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-pike in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-08-17 14:27:08 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Released |
|
2022-06-20 11:32:57 |
Christian Rohmann |
bug |
|
|
added subscriber Christian Rohmann |