[OSSA 2013-025] PKI tokens are never revoked using memcache token backend (CVE-2013-4294)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Folsom |
Fix Released
|
High
|
Unassigned | ||
Grizzly |
Fix Released
|
High
|
Morgan Fainberg | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Thierry Carrez |
Bug Description
This is a more serious incarnation of: https:/
Looks to be fixed on master in c238ace30981877
In the memcache token backend, whole tokens are stored in the revocation list.
In keystone/
166 def _add_to_
167 data_json = jsonutils.
168 if not self.client.
169 if not self.client.
170 if not self.client.
171 ',%s' % data_json):
172 msg = _('Unable to add token to revocation list.')
173 raise exception.
174
175 def delete_token(self, token_id):
176 # Test for existence
177 data = self.get_
178 ptk = self._prefix_
179 result = self.client.
180 self._add_
181 return result
And returned from the API when the auth_token middleware asks for the revocation list:
208 def list_revoked_
209 list_json = self.client.
210 if list_json:
211 return jsonutils.
212 return []
The auth_token middleware hashes the signed token and searches the revocation list for the hash:
1017 def is_signed_
1018 """Indicate whether the token appears in the revocation list."""
1019 revocation_list = self.token_
1020 revoked_tokens = revocation_
1021 if not revoked_tokens:
1022 return
1023 revoked_ids = (x['id'] for x in revoked_tokens)
1024 token_id = utils.hash_
1025 for revoked_id in revoked_ids:
1026 if token_id == revoked_id:
1027 self.LOG.
1028 token_id)
1029 return True
1030 return False
Because the memcache backend stores the entire token, the value of x['id'] above is not an md5 hash, but the encoded PKI token. This will never match the value of the hashed untrusted token.
Storing the whole token also means only around 256 tokens can stored before the memcache page is full and errors happen.
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
information type: | Private Security → Public Security |
Adding Keystone PTL for impact confirmation