OpenStack Compute (Nova)

Incorrect secret key causes user details to be revealed

Reported by Stanislaw Pitucha on 2011-10-05
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Critical
Stanislaw Pitucha
Diablo
Undecided
Unassigned
nova (Ubuntu)
Undecided
Unassigned
Maverick
High
Jamie Strandboge
Natty
High
Jamie Strandboge
Oneiric
High
Jamie Strandboge
Precise
Undecided
Unassigned

Bug Description

If the secret key doesn't match for the ec2 request, the exception passed back to the user, showing the correct password.

To replicate:
# export EC2_ACCESS_KEY='oomNAG3AGwnlKDAM9gFe'
# export EC2_SECRET_KEY='anything'
# euca-describe-instances
Warning: failed to parse error message from AWS: <unknown>:1:0: syntax error
BotoServerError: 500 Internal Server Error
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/paste/urlmap.py", line 203, in __call__
    return app(environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/nova/api/ec2/__init__.py", line 58, in __call__
    rv = req.get_response(self.application)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 937, in get_response
    application, catch_exc_info=False)
  File "/usr/lib/pymodules/python2.7/webob/request.py", line 906, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 147, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/pymodules/python2.7/webob/dec.py", line 208, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/nova/api/ec2/__init__.py", line 189, in __call__
    req.path)
  File "/usr/lib/python2.7/dist-packages/nova/auth/manager.py", line 344, in authenticate
    user=user)
InvalidSignature: Invalid signature w6q++6lcvoEcBkcQuT1yNDURSpM8tq3a+WbhYeKWuX4= for user User('nova', 'nova', 'oomNAG3AGwnlKDAM9gFe', 'eXTMGYDx7FhSI7ng3YfE', True).

Thierry Carrez (ttx) on 2011-10-25
Changed in nova:
status: New → Fix Committed
importance: Undecided → Critical
Jamie Strandboge (jdstrand) wrote :

Precise already has the fix (2012.1~e1~20111020.11229-0ubuntu1)

Changed in nova (Ubuntu Precise):
status: New → Fix Released
Changed in nova (Ubuntu Maverick):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Natty):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Oneiric):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Maverick):
status: New → Confirmed
Changed in nova (Ubuntu Natty):
status: New → Confirmed
Changed in nova (Ubuntu Oneiric):
status: New → Confirmed
Changed in nova (Ubuntu Maverick):
status: Confirmed → Triaged
Changed in nova (Ubuntu Natty):
status: Confirmed → Triaged
Changed in nova (Ubuntu Oneiric):
status: Confirmed → Triaged
Changed in nova (Ubuntu Oneiric):
status: Triaged → In Progress
Changed in nova (Ubuntu Maverick):
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in nova (Ubuntu Natty):
assignee: Jamie Strandboge (jdstrand) → nobody
Thierry Carrez (ttx) wrote :

FWIW I'm getting a proper vulnerability management team in place so that such issues are not overlooked (and left rotting) in the future.

Work in progress at:
http://wiki.openstack.org/VulnerabilityManagement

Jamie Strandboge (jdstrand) wrote :

Ubuntu 11.04 and 10.10 are in universe, but Dave Walker gave me the ack to patch these (natty applied with some fuzz, maverick did not apply for __init__.py, but did for auth/manager.py, which should be enough to close the vulnerability).

Jamie Strandboge (jdstrand) wrote :

Thierry, do you have a CVE for this?

Changed in nova (Ubuntu Natty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

In terms of priority, I've discussed this with others (including an EC2 expert). The EC2_ACCESS_KEY is effectively a username and the EC2_SECRET_KEY is effectively a password. The EC2_ACCESS_KEY is not generally discoverable and hard to enumerate without brute forcing and is not typically shared, so most people should be ok. That said, if someone set their EC2_URL to http or used a toolkit that used https but did not perform certificate verification (an unfortunately common practice), then the EC2_ACCESS_KEY could be revealed and the EC2_SECRET_KEY acquired. As such, leaving this as 'High'.

Jamie Strandboge (jdstrand) wrote :

10.10 - 11.10 uploaded all build locally. Uploaded to the security ppa.

Changed in nova (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in nova (Ubuntu Natty):
status: Triaged → Fix Committed
Changed in nova (Ubuntu Oneiric):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Packages built. Based on feedback from the server team, publishing.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2011.3-0ubuntu6.2

---------------
nova (2011.3-0ubuntu6.2) oneiric-security; urgency=low

  * SECURITY UPDATE: fix information leak via invalid key
    debina/patches/security-fix-lp868360.patch: adjust nova/auth/manager.py
    to not return access, secret or admin fields for User error and
    project_manager_id, description and member_ids for Project
    - LP: #868360
    - CVE-2011-XXXX
 -- Jamie Strandboge <email address hidden> Tue, 25 Oct 2011 08:57:02 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2011.2-0ubuntu1.1

---------------
nova (2011.2-0ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: fix information leak via invalid key
    debina/patches/security-fix-lp868360.patch: adjust nova/auth/manager.py
    to not return access, secret or admin fields for User error and
    project_manager_id, description and member_ids for Project
    - LP: #868360
    - CVE-2011-XXXX
 -- Jamie Strandboge <email address hidden> Tue, 25 Oct 2011 09:04:51 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 0.9.1~bzr331-0ubuntu2.1

---------------
nova (0.9.1~bzr331-0ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: fix information leak via invalid key
    debina/patches/security-fix-lp868360.patch: adjust nova/auth/manager.py
    to not return access, secret or admin fields for User error and
    project_manager_id, description and member_ids for Project
    - LP: #868360
    - CVE-2011-XXXX
 -- Jamie Strandboge <email address hidden> Tue, 25 Oct 2011 09:14:00 -0500

Changed in nova (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in nova (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in nova (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Marking public. CVE requested via oss-security.

visibility: private → public
Jamie Strandboge (jdstrand) wrote :

CVE-2011-4076 has been assigned for this issue.

Reviewed: https://review.openstack.org/1081
Committed: http://github.com/openstack/nova/commit/b1ab6da1495784ff581000018a6047fd19cf82c4
Submitter: Jenkins
Branch: stable/diablo

 status fixcommitted
 done

commit b1ab6da1495784ff581000018a6047fd19cf82c4
Author: Ahmad Hassan <email address hidden>
Date: Mon Aug 1 17:16:49 2011 +0100

    Stop returning correct password on api calls

    Captured invalid signature exception in authentication step, so that
    the problem is not returning exception to user, revealing the real
    password.
    Fixes bug 868360.

    (cherry picked from commit beee11edbfdd82cd81bc9c0fd75912c167892c2b)

    Change-Id: I5d6f713358dc720514b3e693f9adb11ccacecdd0

Reviewed: https://review.openstack.org/993
Committed: http://github.com/openstack/nova/commit/03c9f40f1d7be54e62b129edf41a3c729049ce0c
Submitter: Jenkins
Branch: stable/diablo

 status fixcommitted
 done

commit 03c9f40f1d7be54e62b129edf41a3c729049ce0c
Author: Johannes Erdfelt <email address hidden>
Date: Tue Oct 18 22:08:49 2011 +0000

    Don't leak exceptions out to users

    Fixed bug 874472

    Exceptions can contain all kinds of sensitive information, including
    SQL queries (and arguments), configuration information and in some
    cases the correct password (bug 868360). The information isn't useful
    to users, so don't return potentially sensitive information. The
    exceptions still get logged for debugging and troubleshooting purposes.

    (cherry picked from commit 2431b7848d633dc67ad684b4d1cc79468df24568)

    Change-Id: I45af83ee5276b92259522a4761137d7339d2b77d

Thierry Carrez (ttx) on 2011-11-09
Changed in nova:
milestone: none → essex-1
Thierry Carrez (ttx) on 2011-11-17
Changed in nova:
status: Fix Committed → Fix Released

Hello Stanislaw, or anyone else affected,

Accepted nova into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Mark McLoughlin (markmc) on 2012-04-03
Changed in nova:
assignee: nobody → Stanislaw Pitucha (stanislaw-pitucha)
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers