Retrieving secrets from untrusted URIs can leak auth tokens
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-barbicanclient |
Won't Fix
|
High
|
Unassigned | ||
Bug Description
If a user (or more importantly, a service) attempts to fetch a Secret/
Example:
A service allows a user to provide a Certificate and Private Key in the form of a Barbican Container URI.
Malicious user Tim stands up his own server at https:/
Tim provides a "properly formatted" yet malicious Container URI to the service: https:/
The service generates a Keystone token and passes it in the headers of a GET request to the provided URI.
Tim retrieves the valid token from his logs, and uses the service's token to access other resources (either belonging to the service, or possibly other users depending on the access level of the service's account).
This can be mitigated by validating that any URI provided to the client matches one of the Barbican endpoints in the user's Service Catalog in Keystone (to which the client should already have access).
*Possibly* there could be an additional flag similar to '--insecure' to bypass this restriction, but it would by no means be the default option.
| information type: | Private Security → Public |
| information type: | Public → Public Security |
| Changed in python-barbicanclient: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| Douglas Mendizábal (dougmendizabal) wrote | #1 |
| Changed in python-barbicanclient: | |
| status: | Confirmed → Won't Fix |
| John Wood (john-wood-w) wrote | #2 |
Marking this as "Won't Fix" after a conversation I had with Paul Kehrer a while back. In this scenario it is the responsibility of the service that receives the customer data to validate the data before acting on it.