OpenStack Shared File Systems Service (Manila)

manila logs plaintext ssh passwords in debug mode

Bug #1976370 reported by Sven Kieske
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
High
Goutham Pacha Ravi
OpenStack Shared File Systems Service (Manila) zed-2

Bug Description

I stumbled upon this code while making myself familiar with the manila code in utils.py:

https://opendev.org/openstack/manila/src/branch/master/manila/utils.py#L127

          LOG.debug("ssh.connect: ip: %s, port: %s, username: %s, "
                      "password: %s, key_filename: %s, look_for_keys: %s, "
                      "timeout: %s, banner_timeout: %s",
                      self.ip,
                      self.port,
                      self.login,
                      self.password,
                      self.path_to_private_key,
                      look_for_keys,
                      self.conn_timeout,
                      self.conn_timeout)

you should never ever, even in debug mode, log any credentials.

I didn't check yet if/when this get's called with debug mode, so I don't know the severity of this.

For reference, this is CWE-532 (Insertion of Sensitive Information into Log File):

https://cwe.mitre.org/data/definitions/532.html

kind regards

Sven

Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks, Sven, for subscribing me to this bug. I've taken the liberty of also subscribing the OpenStack vulnerability managers as well as the Manila security reviewers in hopes we can get some initial visibility into this. While reports of suspected security vulnerabilities for Manila aren't officially overseen by the OpenStack VMT ( https://security.openstack.org/repos-overseen.html ), we're happy to assist with triage and providing guidance in such matters.

I agree that logging sensitive data counts as a security-related bug, even when it's limited to debug level logging. OpenStack has, however, not traditionally treated debug-level information disclosure as a severe enough vulnerability to warrant an embargo process in order to discuss and fix (class B3 in our report taxonomy https://security.openstack.org/vmt-process.html#report-taxonomy ), nor severe enough to issue a security advisory. My recommendation to the Manila developers would be to switch this to a normal "Public" bug report and add the "security" bugtag in order to indicate it's a potential security hardening opportunity.

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Thanks for reporting this issue Sven; and for your thoughts Jeremy. I agree this is a hardening opportunity. I'll switch this to public and use the "security" bug tag.

tags: added: security
Changed in manila:
importance: Undecided → High
assignee: nobody → Goutham Pacha Ravi (gouthamr)
milestone: none → zed-2
information type: Private Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/848016

Changed in manila:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/848719

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/848016
Committed: https://opendev.org/openstack/manila/commit/517966292af2eccb4f98520aba4374f463de21c9
Submitter: "Zuul (22348)"
Branch: master

commit 517966292af2eccb4f98520aba4374f463de21c9
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/manila/+/848856

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/manila/+/848719
Committed: https://opendev.org/openstack/manila/commit/48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 517966292af2eccb4f98520aba4374f463de21c9)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/manila/+/848856
Committed: https://opendev.org/openstack/manila/commit/b7190fe3e72a9f9fa4ec5adfb1842d0fd85529d0
Submitter: "Zuul (22348)"
Branch: stable/xena

commit b7190fe3e72a9f9fa4ec5adfb1842d0fd85529d0
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 517966292af2eccb4f98520aba4374f463de21c9)
    (cherry picked from commit 48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/manila/+/848864

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/manila/+/848864
Committed: https://opendev.org/openstack/manila/commit/732bf38f5d7caf00489901b0a5f09187c72f4e6d
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 732bf38f5d7caf00489901b0a5f09187c72f4e6d
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 517966292af2eccb4f98520aba4374f463de21c9)
    (cherry picked from commit 48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90)
    (cherry picked from commit b7190fe3e72a9f9fa4ec5adfb1842d0fd85529d0)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/manila/+/849647

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/manila/+/849648

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/849649

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/manila/+/849647
Committed: https://opendev.org/openstack/manila/commit/9fe6e8094f65fc3eb800de37777be043b2771ad8
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 9fe6e8094f65fc3eb800de37777be043b2771ad8
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 517966292af2eccb4f98520aba4374f463de21c9)
    (cherry picked from commit 48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90)
    (cherry picked from commit b7190fe3e72a9f9fa4ec5adfb1842d0fd85529d0)
    (cherry picked from commit 732bf38f5d7caf00489901b0a5f09187c72f4e6d)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/manila/+/849648
Committed: https://opendev.org/openstack/manila/commit/321dfbc06c8a256a2945404ccc6fc642b4eb5e11
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 321dfbc06c8a256a2945404ccc6fc642b4eb5e11
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Jun 28 23:12:48 2022 +0530

    Stop logging sensitive login information

    usernames and passwords must never be logged
    by the service, even in debug mode.

    Change-Id: I8eda1c849d0d1916345959178f32756e8a1e9c0e
    Closes-Bug: #1976370
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 517966292af2eccb4f98520aba4374f463de21c9)
    (cherry picked from commit 48f4bf6a168a8ec59ea26e44e1bdcf262ae96e90)
    (cherry picked from commit b7190fe3e72a9f9fa4ec5adfb1842d0fd85529d0)
    (cherry picked from commit 732bf38f5d7caf00489901b0a5f09187c72f4e6d)
    (cherry picked from commit 9fe6e8094f65fc3eb800de37777be043b2771ad8)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 15.0.0.0rc1

This issue was fixed in the openstack/manila 15.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 14.0.1

This issue was fixed in the openstack/manila 14.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 13.0.4

This issue was fixed in the openstack/manila 13.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (stable/train)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/849649
Reason: Train is about to transition to End of Life. Open patches needs to be abandoned before branch deletion.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila ussuri-eol

This issue was fixed in the openstack/manila ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila victoria-eom

This issue was fixed in the openstack/manila victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila wallaby-eom

This issue was fixed in the openstack/manila wallaby-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.