Issues regarding application credentials
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
David Wilde | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
While looking into the application credential API we came across several issues. Since they are all closely related I will file them under this issue:
- No secret strength requirements. To configure a password strength requirement for users, one can use `password_regex`. However, this is not possible for application credentials, which makes it possible to create a credentials with the secret 'a':
$ openstack application credential create test-secret-
+------
| Field | Value |
+------
| description | None |
| expires_at | None |
| id | xxxxxxxxxxxxxxx
| name | test-secret-
| project_id | xxxxxxxxxxxxxxx
| roles | member reader |
| secret | a |
| system | None |
| unrestricted | False |
| user_id | xxxxxxxxxxxxxxx
+------
To attack this, you'd still need to know the ID, but combined with https:/
- No lockout feature. For normal login, the settings `lockout_
- Only part of secret is verified. It looks like only the first 72 characters of the secret of an application credential are used to verify it. Characters after that are not used in the verification. The default length of a secret seems to be 86 characters. Even though brute forcing 72 characters is still pretty impossible, this doesn't sound like intended behaviour to me.
CVE References
Changed in keystone: | |
assignee: | nobody → David Wilde (dave-wilde) |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.