Incorrect condition expression for ssl_insecure (CVE-2014-7144)

Fix proposed to branch: master
Review: https://review.openstack.org/112232

We are no longer making functional changes to auth_token in keystoneclient. Refiled against keystonemiddleware.

The same comments about the option set in the paste.ini for bug 1354269 and this being managed by the oslo.config object apply here.

This, if oslo.config is used as a fix, is a duplicate of bug 1354269

The scenario where a deployer specifically sets:

  ssl_insecure = false

... in an attempt to ensure that verification is performed will be sorely disappointed to learn that it is not, and perhaps left vulnerable. This qualifies as a security fix and *should* be fixed in python-keystoneclient as well as keystonemiddleware.

After reading the code & proposed patch, I'm not sure that the assertion made by this bug is correct: "In auth_token.py, _http_request(), self.ssl_insecure is a string" (it's defined using oslo to be a bool). Can someone confirm that this is an issue?

Also, my example config in comment #4 should not have used "ssl_insecure." The correct configuration option is actually:

    insecure = false

Adding OSSN placeholder in case one is warranted.

Hmm, I'm not confident I know the difference between OS Security Advisories and Notes - should Advisory be removed here?

I have done the tests and can confirm this is an issue. If I add 'insecure = 1' in /etc/nova/nova.conf it is OK, the 'insecure' can be convert to bool. But, if I add 'insecure = 1' in /etc/nova/api-paste.ini the 'insecure' would be a string. This is because when add conf in /etc/nova/api-paste.ini the conf will be passed into AuthProtocol class as initialization parameters rather than passed into oslo.

Fix proposed to branch: master
Review: https://review.openstack.org/113191

So.. how we consider this this depends a bit how common it is to pass such parameters in api-paste.conf instead of nova.conf. Are both options fully supported ? Was one deprecated in favor of the other ?

Thierry - config options for auth_token can be put in either api-paste.ini or .conf. Both are fully supported. I think the plan was to deprecate api-paste.ini options but that never happened.

Draft impact description:

Title: TLS certificate verification option not honoured in paste configurations
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.9.0 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in python-keystoneclient and keystonemiddleware. When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware and python-keystoneclient configured via a paste.ini file are affected by this flaw.

Impact description in #12 looks good to me.

Maybe a note that ssl configuration in .conf is not impacted if no ssl configuration is done in paste file.

Maybe "certificate" -> "cert" and "configurations" -> "configs" in the title for shorter title line ?

Maybe mention that the vulnerability is in keystonemiddleware, which was in the past shipped as part of python-keystoneclient (that may make it clearer what they need to update)

Reviewed: https://review.openstack.org/113191
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=5835b232519be6a0497ee77316307acb79d9c7b1
Submitter: Jenkins
Branch: master

commit 5835b232519be6a0497ee77316307acb79d9c7b1
Author: wanghong <email address hidden>
Date: Mon Aug 11 15:54:47 2014 +0800

    convert the conf value into correct type

    If options are set in paste file e.g. api-paste.ini for nova, all
    the option values passed into AuthProtocol.conf are string type.
    So, we should convert the conf value into correct type.

    Change-Id: I0367cd6b54ee49f5db6541840539e7700f241f87
    Closes-Bug: #1353315

Impact description - update

Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.

+1 impact desc

This will be released in a subsequent point release (slated for 0.11.1) once it merges.

Reviewed: https://review.openstack.org/112232
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=5c9c97f1a5dffe5964e945bf68d009fd68e616fc
Submitter: Jenkins
Branch: master

commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
Author: Qin Zhao <email address hidden>
Date: Wed Aug 6 15:47:58 2014 +0800

    Fix the condition expression for ssl_insecure

    In the existing code, self.ssl_insecure is a string. If insecure
    option is set in nova api-paste.ini, whatever it is 'true' or
    'false', kwargs['verify'] will become False. This commit corrects
    the condition expression. This patch is backported from
    https://review.openstack.org/#/c/113191/

    Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
    Closes-Bug: 1353315

This bug has been assigned CVE-2014-7144.

Advisory published: http://lists.openstack.org/pipermail/openstack-announce/2014-September/000281.html