[OSSA 2013-018] Failing SSL cert check in Glance python client

Bug #1192229 reported by Thomas Leaman
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
High
Thomas Leaman
OpenStack Security Advisory
Fix Released
Medium
Thierry Carrez

Bug Description

'preverify_ok is True' will always return false, the correct syntax should be 'preverify_ok == 1'.

I managed to push a fix to gerrit (under a spurious branch name as I originally opened this bug erroneously on the python-swiftclient project) https://review.openstack.org/#/c/33464/

Revision history for this message
Thierry Carrez (ttx) wrote :

The fix being public, this bug should be public too.

information type: Private Security → Public Security
Thierry Carrez (ttx)
description: updated
Revision history for this message
Thierry Carrez (ttx) wrote :

Thomas: did you check if the other clients were similarly affected ?

Could you describe the scenario exploiting this vulnerability ? You mention on the commit message: "Currently, accessing a host via ip address will pass SSL verification" -- so exploiting this requires enticing the user to use an IP address as the Glance endpoint, in addition to the MiM setup ?

Changed in ossa:
importance: Undecided → Low
status: New → Incomplete
importance: Low → Undecided
Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

Currently, commands like the following will pass verification

    glance -A XXX -U https://206.164.176.31:443 index

and it shouldn't! From looking in the code, it's obvious that the expected behavior should be to call host_matches_cert. But this call is being bypassed entirely by the mishandling of the preverify_ok int as a bool.

Changed in python-glanceclient:
assignee: nobody → Thomas Leaman (thomas-leaman)
status: New → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

@Thomas:
* is usage of direct IP address the only way to stumble on this vulnerability ? Or do you see other cases where this needed verification is bypassed ?
* did you already check other OpenStack python-PROJECTclient codebases for the existence of a similar issue ?

Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

@Thierry:
* no, currently it will never check the hostname against the certificate so any incorrect hostname (with a 'valid' cert) will pass
* I know that python-swiftclient currently does not do any form of SSL validation but I have not check the other clients. I will do so in the next few days

Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

All the other python-*clients (with the exception of swiftclient mentioned above) use alternative libraries to provide SSL support and therefore are not affected by this bug.

Thierry Carrez (ttx)
summary: - verify_callback's second if will never be run
+ Failing (or missing) SSL cert check in python client
Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
Revision history for this message
Thierry Carrez (ttx) wrote : Re: Failing (or missing) SSL cert check in python client

Proposed impact description:

-----------
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: Glance
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Glance client request (or response).
------------

Changed in ossa:
status: Confirmed → Triaged
Revision history for this message
Jeremy Stanley (fungi) wrote :

Thierry's proposed impact description in comment #7 looks good to me.

Revision history for this message
Michael Still (mikal) wrote :

Impact description in comment 7 looks good to me.

Revision history for this message
Thierry Carrez (ttx) wrote :

Will file swiftclient issue in another bug. Requested CVE with s/Products: Glance/Products: python-glance-client/ in description

Changed in ossa:
status: Triaged → In Progress
no longer affects: python-swiftclient
Revision history for this message
Thierry Carrez (ttx) wrote :

swiftclient issue is now bug 1199783

Changed in python-glanceclient:
importance: Undecided → High
summary: - Failing (or missing) SSL cert check in python client
+ Failing SSL cert check in Glance python client
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/33464
Committed: http://github.com/openstack/python-glanceclient/commit/822cd64c0718b46a065abbb8709f6b466d12e708
Submitter: Jenkins
Branch: master

commit 822cd64c0718b46a065abbb8709f6b466d12e708
Author: Thomas Leaman <email address hidden>
Date: Tue Jun 18 15:34:45 2013 +0000

    Fix SSL certificate CNAME checking

    Currently, accessing a host via ip address will pass SSL verification;
    the CNAME is not checked as intended as part of verify_callback.

    'preverify_ok is True' will always return false (int/bool comparison).
    preverify_ok will be 1 if preverification has passed.

    Fixes bug 1192229

    Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f

Changed in python-glanceclient:
status: In Progress → Fix Committed
Revision history for this message
Thierry Carrez (ttx) wrote : Re: Failing SSL cert check in Glance python client

Sent to downstream stakeholders

Changed in ossa:
status: In Progress → Fix Committed
Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

Hi. Here's the patch which I backported to version 0.9.0, and which I have just uploaded to Debian Sid.

Revision history for this message
Thierry Carrez (ttx) wrote :

OSSA 2013-018

Changed in ossa:
status: Fix Committed → Fix Released
summary: - Failing SSL cert check in Glance python client
+ [OSSA 2013-018] Failing SSL cert check in Glance python client
Louis Taylor (kragniz)
Changed in python-glanceclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.