[OSSA 2013-018] Failing SSL cert check in Glance python client

Bug #1192229 reported by Thomas Leaman on 2013-06-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Thomas Leaman
OpenStack Security Advisory
Thierry Carrez

Bug Description

'preverify_ok is True' will always return false, the correct syntax should be 'preverify_ok == 1'.

I managed to push a fix to gerrit (under a spurious branch name as I originally opened this bug erroneously on the python-swiftclient project) https://review.openstack.org/#/c/33464/

Thierry Carrez (ttx) wrote :

The fix being public, this bug should be public too.

information type: Private Security → Public Security
Thierry Carrez (ttx) on 2013-06-20
description: updated
Thierry Carrez (ttx) wrote :

Thomas: did you check if the other clients were similarly affected ?

Could you describe the scenario exploiting this vulnerability ? You mention on the commit message: "Currently, accessing a host via ip address will pass SSL verification" -- so exploiting this requires enticing the user to use an IP address as the Glance endpoint, in addition to the MiM setup ?

Changed in ossa:
importance: Undecided → Low
status: New → Incomplete
importance: Low → Undecided
Thomas Leaman (thomas-leaman) wrote :

Currently, commands like the following will pass verification

    glance -A XXX -U index

and it shouldn't! From looking in the code, it's obvious that the expected behavior should be to call host_matches_cert. But this call is being bypassed entirely by the mishandling of the preverify_ok int as a bool.

Changed in python-glanceclient:
assignee: nobody → Thomas Leaman (thomas-leaman)
status: New → In Progress
Thierry Carrez (ttx) wrote :

* is usage of direct IP address the only way to stumble on this vulnerability ? Or do you see other cases where this needed verification is bypassed ?
* did you already check other OpenStack python-PROJECTclient codebases for the existence of a similar issue ?

Thomas Leaman (thomas-leaman) wrote :

* no, currently it will never check the hostname against the certificate so any incorrect hostname (with a 'valid' cert) will pass
* I know that python-swiftclient currently does not do any form of SSL validation but I have not check the other clients. I will do so in the next few days

Thomas Leaman (thomas-leaman) wrote :

All the other python-*clients (with the exception of swiftclient mentioned above) use alternative libraries to provide SSL support and therefore are not affected by this bug.

Thierry Carrez (ttx) on 2013-06-24
summary: - verify_callback's second if will never be run
+ Failing (or missing) SSL cert check in python client
Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Medium
Thierry Carrez (ttx) on 2013-06-26
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)

Proposed impact description:

Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: Glance
Affects: All versions

Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Glance client request (or response).

Changed in ossa:
status: Confirmed → Triaged
Jeremy Stanley (fungi) wrote :

Thierry's proposed impact description in comment #7 looks good to me.

Michael Still (mikal) wrote :

Impact description in comment 7 looks good to me.

Thierry Carrez (ttx) wrote :

Will file swiftclient issue in another bug. Requested CVE with s/Products: Glance/Products: python-glance-client/ in description

Changed in ossa:
status: Triaged → In Progress
no longer affects: python-swiftclient
Thierry Carrez (ttx) wrote :

swiftclient issue is now bug 1199783

Changed in python-glanceclient:
importance: Undecided → High
summary: - Failing (or missing) SSL cert check in python client
+ Failing SSL cert check in Glance python client

Reviewed: https://review.openstack.org/33464
Committed: http://github.com/openstack/python-glanceclient/commit/822cd64c0718b46a065abbb8709f6b466d12e708
Submitter: Jenkins
Branch: master

commit 822cd64c0718b46a065abbb8709f6b466d12e708
Author: Thomas Leaman <email address hidden>
Date: Tue Jun 18 15:34:45 2013 +0000

    Fix SSL certificate CNAME checking

    Currently, accessing a host via ip address will pass SSL verification;
    the CNAME is not checked as intended as part of verify_callback.

    'preverify_ok is True' will always return false (int/bool comparison).
    preverify_ok will be 1 if preverification has passed.

    Fixes bug 1192229

    Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f

Changed in python-glanceclient:
status: In Progress → Fix Committed

Sent to downstream stakeholders

Changed in ossa:
status: In Progress → Fix Committed

Hi. Here's the patch which I backported to version 0.9.0, and which I have just uploaded to Debian Sid.

Thierry Carrez (ttx) wrote :

OSSA 2013-018

Changed in ossa:
status: Fix Committed → Fix Released
summary: - Failing SSL cert check in Glance python client
+ [OSSA 2013-018] Failing SSL cert check in Glance python client
Louis Taylor (kragniz) on 2014-09-21
Changed in python-glanceclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers