Manila share existence detection

Bug #1901210 reported by Arjen
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Medium
Goutham Pacha Ravi

Bug Description

Intro
-----
While performing a penetration test on a new OpenStack install of version Train, we found an issue that could lead to an information disclosure.

Description
-----------
In the test situation we had two, separate, projects, each with their own user. Users were only authorised for their own project, not for the other's project.

After creating a Manila share in project A by user A, we were able to check the existence of that share with user B by issuing the manila show <ID> command. The share cannot be manipulated or deleted.

Apparently, there is an authorisation check on the action but the error message makes it possible to determine the existence of a share.

Precondition
------------
- Logged in user (user B)

Discovered on October 8, 2020 by Arjen Zijlstra (<email address hidden>) and Arthur Donkers (arthur@1secure.nl)

Revision history for this message
Tom Barron (tpb) wrote :

Would this detection require guessing or somehow stealing a UUID?

Revision history for this message
Arjen (arjentz) wrote :

Yes, it is about the possibility to determine wether the share exists or not, based on the UUID:
---
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-b463-416b-9e79-769e68b9f6b1)
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.
---

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Arjen:

The code that's sending the 403 response is here: https://opendev.org/openstack/manila/src/commit/346cebcbbb519d07d98ce60cd2d388ff00a0ce25/manila/share/api.py#L1757-L1758

I sort of agree that you can detect whether a resource exists or not just because the API responds with a 403 in this case.

403 is still a valid response imo if, the share belongs to the project that the user belongs to as well; but the user has no access to this action - "share:get"

In your specific case, the correct response should be 404, since the user requesting "share:get" isn't from the same project that owns the share b0758fbd-bb1c-47e7-875e-b72336111709.

Do we agree with this assessment?

Revision history for this message
Arjen (arjentz) wrote :

Yes, if the user has no connection to the share, a 404 response should be given (the same as with a non-existent share). If the user is in the same project and it knows about the existence through that way already, a 403 seems appropriate.

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Thanks for your patience with this bug. I checked on the API SIG for guidance regarding this, and was surprised to find there was none. Like I mention on comment #3, the pattern for 404 vs 403 has been the following:

- If the resource in the URL doesn't exist, HTTP 404 is returned
- If the resource in the URL exists, but the caller has no access to the resource, HTTP 403 is returned.

This approach is used across other OpenStack projects. However, I think we agree with your stance - and we'll pick this bug up to fix in Wallaby.

The fix will be along these lines:

- If the resource in the URL doesn't exist, HTTP 404 is returned
- If the resource in the URL does exist, but the caller's using a project scoped token and their project does not match the project that the resource is within: HTTP 404 is returned
- If the resource in the URL does exist, but the caller's using a system scoped token or using a project token, but they have been forbidden by policy, HTTP 403 is returned.

Since this bug requires UUIDs to be guessed to take advantage of, and there is no information leakage beyond the existence detection, I think this can be a Class C1 bug per the OpenStack VMT guidelines [2].

Do share your thoughts on this. We'll follow up this work alongside the secure-rbac effort that's ongoing across Manila [3]

[1] http://eavesdrop.openstack.org/irclogs/%23openstack-glance/%23openstack-glance.2021-02-12.log.html#t2021-02-12T15:28:21
[2] https://security.openstack.org/vmt-process.html#incident-report-taxonomy
[3] https://review.opendev.org/q/topic:%2522secure-rbac%2522+(status:open+OR+status:merged)+project:openstack/manila

Changed in manila:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Goutham Pacha Ravi (gouthamr)
milestone: none → wallaby-3
Changed in manila:
milestone: wallaby-3 → wallaby-rc1
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

This bug wasn't addressed in the release candidate for Wallaby. We'll consider a backport as soon as a fix is available

Changed in manila:
milestone: wallaby-rc1 → xena-1
Changed in manila:
milestone: xena-1 → xena-2
Changed in manila:
milestone: xena-2 → yoga-1
Changed in manila:
milestone: yoga-1 → yoga-2
Changed in manila:
milestone: yoga-2 → zed-1
Changed in manila:
milestone: zed-1 → zed-3
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Fix proposed to branch: master
    https://review.opendev.org/c/openstack/manila/+/857807

Changed in manila:
milestone: zed-3 → zed-rc1
information type: Private Security → Public
Changed in manila:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila-tempest-plugin (master)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/857933
Committed: https://opendev.org/openstack/manila-tempest-plugin/commit/a90e3251d655ada1499c6f627a66036b8ee38a6f
Submitter: "Zuul (22348)"
Branch: master

commit a90e3251d655ada1499c6f627a66036b8ee38a6f
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Sep 15 09:36:32 2022 -0700

    Expect 404 for unauthorized share access

    As a fix to bug #1901210, manila's API now responds with
    a 404 if a user doesn't have access to a non-public share to
    prevent an existence detection attack. Since manila tempest tests
    can be used for older branches without the fix, we must accommodate
    both error codes - 403 and 404 in our tests for a while.

    Change-Id: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Partial-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila-tempest-plugin (master)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/857807
Committed: https://opendev.org/openstack/manila/commit/6303741be2394de9301f03f28f7ad20216aad7f6
Submitter: "Zuul (22348)"
Branch: master

commit 6303741be2394de9301f03f28f7ad20216aad7f6
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/manila/+/859235

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/859236

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/manila/+/859237

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/manila/+/859238

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/manila/+/859239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/manila/+/859240

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/859241

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859235
Committed: https://opendev.org/openstack/manila/commit/078bc4300a93e61c22b4958d87e034a707a700a1
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 078bc4300a93e61c22b4958d87e034a707a700a1
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859236
Committed: https://opendev.org/openstack/manila/commit/dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859237
Committed: https://opendev.org/openstack/manila/commit/5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)
    (cherry picked from commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859238
Committed: https://opendev.org/openstack/manila/commit/2e420aa5b7523e6c37c16baac18843fee2f15b57
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 2e420aa5b7523e6c37c16baac18843fee2f15b57
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)
    (cherry picked from commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f)
    (cherry picked from commit 5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859239
Committed: https://opendev.org/openstack/manila/commit/db7c4827410ee650524c886b85be3cd0ae7178b3
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit db7c4827410ee650524c886b85be3cd0ae7178b3
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)
    (cherry picked from commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f)
    (cherry picked from commit 5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0)
    (cherry picked from commit 2e420aa5b7523e6c37c16baac18843fee2f15b57)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859240
Committed: https://opendev.org/openstack/manila/commit/256ebc2d683f9ae3c6af6d2d018c4c0e3aed74dc
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 256ebc2d683f9ae3c6af6d2d018c4c0e3aed74dc
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)
    (cherry picked from commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f)
    (cherry picked from commit 5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0)
    (cherry picked from commit 2e420aa5b7523e6c37c16baac18843fee2f15b57)
    (cherry picked from commit db7c4827410ee650524c886b85be3cd0ae7178b3)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 15.1.0

This issue was fixed in the openstack/manila 15.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 14.0.1

This issue was fixed in the openstack/manila 14.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 13.0.4

This issue was fixed in the openstack/manila 13.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/train)

Reviewed: https://review.opendev.org/c/openstack/manila/+/859241
Committed: https://opendev.org/openstack/manila/commit/7278cec23e7bc988fa051f7a0cefc2c0719205b0
Submitter: "Zuul (22348)"
Branch: stable/train

commit 7278cec23e7bc988fa051f7a0cefc2c0719205b0
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 14 22:13:11 2022 -0700

    [RBAC] Return 404 if share is inaccessible

    When a user is prevented from listing a non-public
    share, the API service would return a 403 Forbidden.
    This isn't consistent with the API SIG's guidance
    on resources restricted by virtue of RBAC policy since
    users with malicious intent may use the signal to
    mean that the resource exists.

    Depends-On: I27fdd7dfffeb15965b66dbb3f6b1568c11ff9ad4
    Change-Id: I7e05dcb343c932cc7fec8d395919053d0a1801ce
    Closes-Bug: #1901210
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 6303741be2394de9301f03f28f7ad20216aad7f6)
    (cherry picked from commit 078bc4300a93e61c22b4958d87e034a707a700a1)
    (cherry picked from commit dfb4e7ee93d4893fab19e6bf4f989483ef3bef6f)
    (cherry picked from commit 5b8b7b19fd3cda9e2b3f573cdd9e704d1cca8cb0)
    (cherry picked from commit 2e420aa5b7523e6c37c16baac18843fee2f15b57)
    (cherry picked from commit db7c4827410ee650524c886b85be3cd0ae7178b3)
    (cherry picked from commit 256ebc2d683f9ae3c6af6d2d018c4c0e3aed74dc)

tags: added: in-stable-train
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.