[OSSA 2013-010] Insecure directory creation for signing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Russell Bryant | ||
Grizzly |
Fix Released
|
High
|
Russell Bryant | ||
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Folsom |
Fix Released
|
Medium
|
Alan Pevec | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez | ||
python-keystoneclient |
Fix Released
|
Medium
|
Dolph Mathews |
Bug Description
Originally found by Grant Murphy (<email address hidden>):
The signing directory is used to store the signing certificates
and the default location for this directory is:
signing_dir = /tmp/keystone-
In the file:
keystone/
During the initialization of the AuthMiddleware the following operations are made for the signing directory:
IF the directory exists but cannot be written to a configuration error is raised.
ELSE IF the directory doesn't exist, create it.
NEXT chmod permisions(
AFAICT The signing certificates used in validation will only be fetched from the keystone if the cms_verify action raises an exception because the certificate file is missing from the signing directory.
This means that if an attacker populated the /tmp/keystone-
with the appropriate files for signautre verification they could potentially
issue forged tokens which would be validated by the middleware. As:
- The directory location deterministic. (default for glance, nova)
- *If the directory already exists it is reused*
CVE References
information type: | Private Security → Public Security |
Changed in keystone: | |
status: | New → Invalid |
summary: |
- Insecure directory creation for signing + [OSSA 2013-010] Insecure directory creation for signing |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
Changed in nova: | |
milestone: | none → havana-1 |
status: | Fix Committed → Fix Released |
Changed in python-keystoneclient: | |
milestone: | none → 0.2.4 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | havana-1 → 2013.2 |
no longer affects: | nova/folsom |
> and the default location for this directory is: signing- nova
> signing_dir = /tmp/keystone-
It is not, that happens to be default in Fedora's nova.conf pkgs.fedoraproj ect.org/ cgit/openstack- nova.git/ tree/nova. conf#n27
http://
Default in authtoken middleware code (now located in python- keystoneclient) is ~/keystone-signing and normally homedir of the user account running the application (where authtoken m/w is inserted) should not be world-writable.