consoleauth token displayed in log file

Bug #1492140 reported by Paul Carlton on 2015-09-04
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
Tristan Cacqueray
OpenStack Security Advisory
Undecided
Tristan Cacqueray
oslo.utils
Low
Paul Carlton

Bug Description

when instance console is accessed auth token is displayed nova-consoleauth.log

nova-consoleauth.log:874:2015-09-02 14:20:36 29941 INFO nova.consoleauth.manager [req-6bc7c116-5681-43ee-828d-4b8ff9d566d0 fe3cd6b7b56f44c9a0d3f5f2546ad4db 37b377441b174b8ba2deda6a6221e399] Received Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, {'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', 'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'token': u'f8ea537c-b924-4d92-935e-4c22ec90d5f7', 'last_activity_at': 1441203636.387588, 'internal_access_path': None, 'console_type': u'novnc', 'host': u'192.168.245.6', 'port': u'5900'}
nova-consoleauth.log:881:2015-09-02 14:20:52 29941 INFO nova.consoleauth.manager [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] Checking Token: f8ea537c-b924-4d92-935e-4c22ec90d5f7, True

and

nova-novncproxy.log:30:2015-09-02 14:20:52 31927 INFO nova.console.websocketproxy [req-a29ab7d8-ab26-4ef2-b942-9bb02d5703a0 None None] 3: connect info: {u'instance_uuid': u'dd29a899-0076-4978-aa50-8fb752f0c3ed', u'internal_access_path': None, u'last_activity_at': 1441203636.387588, u'console_type': u'novnc', u'host': u'192.168.245.6', u'token': u'f8ea537c-b924-4d92-935e-4c22ec90d5f7', u'access_url': u'http://192.168.245.9:6080/vnc_auto.html?token=f8ea537c-b924-4d92-935e-4c22ec90d5f7', u'port': u'5900'}

This token has a short lifetime but the exposure still represents a potential security weakness, especially as the log record in question are INFO level and thus available via centralized logging. A user with real time access to these records could mount a denial of service attack by accessing the instance console and performing a ctl alt del to reboot it

Alternatively data privacy could be compromised if the attacker were able to obtain user credentials

information type: Private Security → Public
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

I've switched this report from public to public security since it seems to describe a potential vulnerability.

information type: Public → Public Security
Changed in ossa:
status: New → Incomplete

Fix proposed to branch: master
Review: https://review.openstack.org/220622

Changed in nova:
assignee: nobody → Paul Carlton (paul-carlton2)
status: New → In Progress
Jeremy Stanley (fungi) wrote :

I've added a bugtask for oslo.utils because of partial fix https://review.openstack.org/220620 in that repository.

Jeremy Stanley (fungi) wrote :

Is this behavior present in stable/kilo (and perhaps earlier) or only master?

Paul Carlton (paul-carlton2) wrote :

I see it in stable/kilo and earlier too

Matt Riedemann (mriedem) on 2015-09-08
Changed in oslo.utils:
status: New → In Progress
assignee: nobody → Paul Carlton (paul-carlton2)
importance: Undecided → Low
Changed in nova:
importance: Undecided → Low

Assuming this affects all Nova setups, here is the impact description:

Title: Potential leak of consoleauth token into log files
Reporter: Paul Carlton (HP)
Products: Nova
Affects: versions through 2014.2.3, and 2015.1 versions through 2015.1.1

Description:
Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the services’ logs may obtain token used for console access. All Nova setups are affected.

Changed in ossa:
status: Incomplete → Confirmed
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: Confirmed → Triaged
Matt Riedemann (mriedem) wrote :

I'm sort of surprised there is an OSSA for this. We've had many cases of leaked passwords in the nova logs, like when logging connection_info from a block device mapping (might have the admin userid/password in it from the Cinder volume connection) - that kind of thing gets logged quite a bit at debug level. And from what I can remember, we haven't had OSSAs for those changes in the past.

VMT has always considered password leak in logs file OSSA worthy, excepted in DEBUG mode.
Is there a bug for the connection_info from a block device mapping issue ?

Grant Murphy (gmurphy) wrote :

+1 to impact description with affects line update

Matt Riedemann (mriedem) on 2015-10-09
tags: added: console
Matt Riedemann (mriedem) wrote :

@Tristan, there is a related nova bug 1321785 for the connection_info field in block_device_mapping - and what comes back from cinder's os-initialize_connection API, which keystoneclient was logging the response, fixed here:

https://review.openstack.org/#/c/219004/

Jeremy Stanley (fungi) wrote :

Matt, that (bug 1490693) seems to be an exposure only at DEBUG level, for which we've never issued advisories and always classified as security hardening improvements instead.

Paul Carlton (paul-carlton2) wrote :

Does that mean we will not be back porting changes to juno, kilo and liberty stable?

Jeremy Stanley (fungi) wrote :

Paul, it means that for bug 1490693 if you backport those we still don't need to issue a security advisory.

For the current bug, the credential leak seems to be at INFO level, which is a situation where we typically do issue an advisory.

Jeremy Stanley (fungi) wrote :

Note that this bug is stalled waiting for the master branch fix to get unstuck. We need that and working backports to affected stable branches, then the VMT can issue an advisory.

Paul Carlton (paul-carlton2) wrote :

I am currently working on updating some specs for live migration, which need to be done ASAP to get approved before December deadline for Mitaka, will get back to fixing this as soon as I can

Paul, any progress on that issue ?

Changed in nova:
assignee: Paul Carlton (paul-carlton2) → Tony Breeds (o-tony)
Changed in nova:
assignee: Tony Breeds (o-tony) → Paul Carlton (paul-carlton2)

Impact description update to include proper affected releases:

Title: Potential leak of consoleauth token into log files
Reporter: Paul Carlton (HP)
Products: Nova
Affects: =>2015.1, <= 2015.1.2, ==12.0.0

Description:
Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the services’ logs may obtain token used for console access. All Nova setups are affected.

Grant Murphy (gmurphy) wrote :

+1 impact description.

Jeremy Stanley (fungi) wrote :

Tristan's updated impact description in comment #17 looks great.

Jeremy Stanley (fungi) wrote :

Oh, except the first comma in the affects line is misleading. "=>2015.1 <=2015.1.2, ==12.0.0" would make it clearer the first two versions there indicate the bounds of a range.

Changed in oslo.utils:
status: In Progress → Fix Committed
Changed in nova:
assignee: Paul Carlton (paul-carlton2) → Andrea Rosa (andrea-rosa-m)

@nova-coresec, @Andrea, any progress on this issue ?

Andrea Rosa (andrea-rosa-m) wrote :

The patch is in conflict, I am going to rebase it then it is up for review

Changed in nova:
assignee: Andrea Rosa (andrea-rosa-m) → Paul Carlton (paul-carlton2)
Paul Carlton (paul-carlton2) wrote :

Fix awaiting reviews

Updated impact description affected versions:

Title: Potential leak of consoleauth token into log files
Reporter: Paul Carlton (HP)
Products: Nova
Affects: <=12.0.3, ==13.0.0

Description:
Paul Carlton from HP reported a vulnerability in Nova. An attacker with read access to the services’ logs may obtain token used for console access. All Nova setups are affected.

Changed in oslo.utils:
status: Fix Committed → Fix Released

@DIMS or @gcb: do you know what is the oslo.utils changeID ?

If it's https://review.openstack.org/#/c/332438/, then is it planned to do backports down to stable/liberty and stable/mitaka ?

Paul Carlton (paul-carlton2) wrote :

The oslo change was https://review.openstack.org/#/c/220620/ the nova fix no longer depends on this. However the nova fix is still waiting for reviews

Jeremy Stanley (fungi) wrote :

At this point we're going to need a stable/newton backport of https://review.openstack.org/220622 as well.

Changed in nova:
assignee: Paul Carlton (paul-carlton2) → Tristan Cacqueray (tristan-cacqueray)

Fwiw I just fixed rebase issues and the patch is still up for review: https://review.openstack.org/#/c/220622/

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers