OpenStack Security Notes

keystone.conf should not be world-readable (to keep LDAP password and admin_token secret)

Reported by Xu Han Peng on 2013-04-12
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Security Notes
High
Robert Clark
devstack
High
Dean Troyer
Gentoo Linux
Fix Released
Low

Bug Description

The password configuration of LDAP and admin_token in keystone.conf should be secret to protect security information:

[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None <- should be secrect
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com

[DEFAULT]
admin_token = passw0rd <- should be secrect

CVE References

Xu Han Peng (xuhanp) on 2013-04-12
information type: Private Security → Public Security
Changed in keystone:
assignee: nobody → Xu Han Peng (xuhanp)

Fix proposed to branch: master
Review: https://review.openstack.org/26826

Changed in keystone:
status: New → In Progress
Thierry Carrez (ttx) on 2013-04-12
tags: added: security
information type: Public Security → Public
Alan Pevec (apevec) wrote :

Kurt, proposed patch only sets oslo.config.cfg secret attribute:
        :param secret: true iff the value should be obfuscated in log output
This does not hide the password values in the config file, just prevents leakage in the logfile.

In , J-ago (j-ago) wrote :

From ${URL} :

A security flaw was found in the way Openstack Keystone (previously) performed management of LDAP
password and admin_token Keystone daemon configuration file values. A local attacker could use this
flaw to obtain sensitive information.

References:
[1] https://bugs.launchpad.net/keystone/+bug/1168252
[2] http://www.openwall.com/lists/oss-security/2013/04/19/2

Relevant upstream patch (Gerrit form):
[3] https://review.openstack.org/#/c/26826/

Patch has not been approved yet.

Changed in keystone (Gentoo Linux):
importance: Unknown → Low

Ok the CVE I assigned (CVE-2013-1977 as per http://seclists.org/oss-sec/2013/q2/126) covers the default devstack (git clone https://github.com/openstack-dev/devstack.git ; cd devstack && ./stack.sh ) which creates:

drwxr-xr-x. 3 stack root 4096 Apr 19 18:39 /etc/keystone
-rw-rw-r--. 1 stack stack 10251 Apr 19 18:33 /etc/keystone/keystone.conf

which exposes the above secrets. If things are ALSO exposed in the log files that a second security issue as well and I'll assign a CVE for it.

Thierry Carrez (ttx) wrote :

There is a bit of confusion around this bug. There are two issues:

1/ LDAP password is specified in a world-readable file
This is not a Keystone issue. This is a packaging/deployment issue: that file should not be deployed world-readable. At most that would be a devstack issue (although I don't think anyone ever relied on devstack to deploy openstack in any kind of secure fashion) -- and the CVE should be updated to reflect that.

2/ LDAP password config option is not marked "secret" so it MAY show in logs
That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret actually makes sure it would not show if that was the case. This should be filed as a separate bug.

Changed in keystone:
status: In Progress → Confirmed
assignee: Xu Han Peng (xuhanp) → nobody
affects: keystone → devstack
summary: - LDAP password and admin_token should be secret
+ keystone.conf should not be world-readable (to keep LDAP password and
+ admin_token secret)
Thierry Carrez (ttx) wrote :

I fixed title and affected project to reflect (1)

Changed in devstack:
importance: Undecided → High
Thierry Carrez (ttx) wrote :

Adding OSSN task since it looks like a good candidate for an OpenStack Security Note (secure deployment/packaging guidance)

Kurt Seifried (kseifried) wrote :

Ok also assigned CVE-2013-2006 for the OpenStack keystone LDAP password disclosure in log files

http://openwall.com/lists/oss-security/2013/04/24/1

Robert Clark (robert-clark) wrote :

Happy to create an OSSN for issue 1, keystone.conf world readable.

Issue 2, ldap creds being set to secret: I think I'm right in saying a fix is in place, is that backported?

Robert Clark (robert-clark) wrote :

DRAFT: Keystone configuration should not be world readable
---

### Summary ###
In some deployments keystone.conf which contains confidential information, is set to world readable.

### Affected Services / Software ###
Keystone, DevStack

### Discussion ###
It is important that deployers of OpenStack ensure that keystone.conf is not world readable. In some deployments the keystone configuration file is readable by all users (and processes) on the installation system.

### Recommended Actions ###
Ensure that in your deployment keystone.conf is not world readable.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
Original LAunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Bryan D. Payne (bdpayne) wrote :

Re the OSSN, I'd like to see more specifics about what the confidential information is (e.g., as listed in the original bug report). I suggest the following v2:

DRAFT v2: Keystone configuration should not be world readable
---

### Summary ###
In some deployments keystone.conf which contains confidential information, is set to world readable.

### Affected Services / Software ###
Keystone, DevStack

### Discussion ###
It is important that deployers of OpenStack ensure that keystone.conf is not world readable. In some deployments the keystone configuration file is readable by all users (and processes) on the installation system. This file should be set with the most restrictive permissions that allow the system to continue proper operations.

In particular, the password configuration of the LDAP section and the admin_token contain secret information:

---- being example config snippet ----
[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=com
password = None <- should be secret
suffix = cn=example,cn=com
use_dumb_member = False
allow_subtree_delete = False
dumb_member = cn=dumb,dc=example,dc=com

[DEFAULT]
admin_token = passw0rd <- should be secret
---- end example config snippet ----

### Recommended Actions ###
Ensure that in your deployment keystone.conf uses the most restrictive permissions that allow the system to continue proper operations.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
Original LAunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Kurt Seifried (kseifried) wrote :

2/ LDAP password config option is not marked "secret" so it MAY show in logs
That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret actually makes sure it would not show if that was the case. This should be filed as a separate bug.

so for this I assigned CVE-2013-2006 (http://seclists.org/oss-sec/2013/q2/164)

Robert Clark (robert-clark) wrote :

Keystone configuration should not be world readable
---

### Summary ###
In some deployments keystone.conf which contains confidential information, is set to world readable.

### Affected Services / Software ###
Keystone, DevStack

### Discussion ###
It is important that deployers of OpenStack ensure that keystone.conf is not world readable. In some deployments the keystone configuration file is readable by all users (and processes) on the installation system. This file should be set with the most restrictive permissions that allow the system to continue proper operations.

In particular, the password configuration of the LDAP section and the admin_token contain secret information:

---- being example config snippet ----
[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=com
password = None <- should be secret
suffix = cn=example,cn=com
use_dumb_member = False
allow_subtree_delete = False
dumb_member = cn=dumb,dc=example,dc=com

[DEFAULT]
admin_token = passw0rd <- should be secret
---- end example config snippet ----

### Recommended Actions ###
Ensure that in your deployment keystone.conf uses the most restrictive permissions that allow the system to continue proper operations.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg

Robert Clark (robert-clark) wrote :

Keystone configuration should not be world readable
---

### Summary ###
In some deployments keystone.conf which contains confidential information, is set to world readable.

### Affected Services / Software ###
Keystone, DevStack, Deployment

### Discussion ###
It is important that deployers of OpenStack ensure that keystone.conf is not world readable. In some deployments the keystone configuration file is readable by all users (and processes) on the installation system. This file should be set with the most restrictive permissions that allow the system to continue proper operations.

In particular, the password configuration of the LDAP section and the admin_token contain secret information:

---- being example config snippet ----
[ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=com
password = None <- should be secret
suffix = cn=example,cn=com
use_dumb_member = False
allow_subtree_delete = False
dumb_member = cn=dumb,dc=example,dc=com

[DEFAULT]
admin_token = passw0rd <- should be secret
---- end example config snippet ----

### Recommended Actions ###
Ensure that in your deployment keystone.conf uses the most restrictive permissions that allow the system to continue proper operations.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
OpenStack Security ML : <email address hidden>
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: CVE-2013-1977

Lloyd Dewolf (lloydde) wrote :

For anyone else who comes along looking for the separate bug:

> Thierry Carrez (ttx) wrote on 2013-04-23:

> 2/ LDAP password config option is not marked "secret" so it MAY show in logs
> That's what the proposed fix actually fixes. I'm not sure the LDAp password is actually logged anywhere, but marking it secret
> actually makes sure it would not show if that was the case. This should be filed as a separate bug.

It is #1172195 "admin_token and LDAP password show up in log in DEBUG mode"

Robert Clark (robert-clark) wrote :

Published on OpenStack and OpenStack-Dev on 13 May 2013

Changed in ossn:
status: New → In Progress
importance: Undecided → High
status: In Progress → Fix Released
assignee: nobody → Robert Clark (robert-clark)
Matthew Thode (prometheanfire) wrote :

fix released for folsom and grizzly, grizzly with the devstack patch and folsom with this patch.

diff -Naur keystone-2012.2.4/keystone/config.py keystone-2012.2.4.new/keystone/config.py
--- keystone-2012.2.4/keystone/config.py 2013-04-11 15:02:19.000000000 -0400
+++ keystone-2012.2.4.new/keystone/config.py 2013-05-17 11:26:57.557918817 -0400
@@ -110,7 +110,7 @@
     group = kw.pop('group', None)
     return conf.register_cli_opt(cfg.IntOpt(*args, **kw), group=group)

-register_str('admin_token', default='ADMIN')
+register_str('admin_token', secret=True, default='ADMIN')
 register_str('bind_host', default='0.0.0.0')
 register_str('compute_port', default=8774)
 register_str('admin_port', default=35357)
@@ -162,7 +162,7 @@
 #ldap
 register_str('url', group='ldap', default='ldap://localhost')
 register_str('user', group='ldap', default='dc=Manager,dc=example,dc=com')
-register_str('password', group='ldap', default='freeipa4all')
+register_str('password', group='ldap', secret=True, default='freeipa4all')
 register_str('suffix', group='ldap', default='cn=example,cn=com')
 register_bool('use_dumb_member', group='ldap', default=False)
 register_str('user_name_attribute', group='ldap', default='sn')

affects: keystone (Gentoo Linux) → gentoo

fix released for folsom and grizzly, offending ebuilds removed from tree.

fixed in keystone-2012.2.4-r3.ebuild and keystone-2013.1.1.ebuild

CVE-2013-1977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1977):
  OpenStack devstack uses world-readable permissions for keystone.conf, which
  allows local users to obtain sensitive information such as the LDAP password
  and admin_token secret by reading the file.

We're done here.

Changed in gentoo:
status: Unknown → Fix Released
Dean Troyer (dtroyer) on 2013-10-22
Changed in devstack:
assignee: nobody → Dean Troyer (dtroyer)

Hi,
FYI, I don't think Debian is affected by this issue, since both keystone.conf and the log files are owned by the keystone users, and aren't world readable. At least, that's what I can see in my POC.

Reviewed: https://review.openstack.org/53248
Committed: http://github.com/openstack-dev/devstack/commit/d561b70930f7184ade05953faa11a47dc250a16c
Submitter: Jenkins
Branch: master

commit d561b70930f7184ade05953faa11a47dc250a16c
Author: Dean Troyer <email address hidden>
Date: Tue Oct 22 17:46:00 2013 -0500

    Set keystone.conf to mode 0600

    Set keystone.conf readable only by owner
    Fixes CVE-2013-1977

    Fixed bug: 1168252

    Change-Id: Idd13b7a58e257565052c54f72c65d8dceb23f27a

Dean Troyer (dtroyer) on 2013-12-09
Changed in devstack:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.