[OSSA 2013-017] Memcache signing middleware improperly implemented (CVE-2013-2167)

Bug #1175368 reported by Paul McMillan on 2013-05-01
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Low
Thierry Carrez
python-keystoneclient
Medium
Thierry Carrez

Bug Description

The memcache signing middleware in python-keystoneclient is improperly implemented, such that it does not provide the advertised data integrity features. An attacker with access to the memcache instance used as a cache could insert false or changed data which would be silently accepted by the client.

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py

When the 'MAC' security strategy is enabled, the middleware falls through to silently trusting data which is missing the "MAC_MARKER" prefix. When this mode is enabled, the middleware should require all data to be signed, and raise an error when encountering unsigned or incorrectly signed data.

Furthermore, the construction of the MAC:
h(data || token)
is improper, accepting attacker generated signatures with trivial effort since it involves no data which is not available to an attacker.

Instead, it should use the standard HMAC construction:
HMAC (K,m) = H ((K ⊕ opad) ∥ H ((K ⊕ ipad) ∥ m))
where K is a secret key, m is the message, and opad and ipad are standard constants.

The secret key should be produced using an approved key derivation function which differs from the key used when the 'ENCRYPTION' security strategy is in use. More details on appropriate functions are available in NIST Special Publication 800-108.

As currently written, this feature provides no security benefits whatsoever. I will be proposing a patch later today to fix the issues outlined above. I plan to fix this issue in a forwards-compatible way, with the side effect of invalidating existing ephemeral cache values for users who enabled this feature. This should have a CVE. I'm ok with marking this bug as public given the minimal potential for exploitation (an attacker needs access to the memcache instance, which should never happen in a proper deployment) and the assumed low usage rate of this feature.

CVE References

Thierry Carrez (ttx) wrote :

Adding Keystone core

Thierry Carrez (ttx) wrote :

See bug 1175367 for discussion on a common OSSA

Guang Yee (guang-yee) wrote :

Good one! Yes, we should get absolutely get rid of the marker checking logic. Error out if we can't verify or decrypt data.

Thierry Carrez (ttx) on 2013-05-03
Changed in python-keystoneclient:
importance: Undecided → Medium
status: New → Confirmed
Brant Knudson (blk-u) wrote :

What's #1174367 ?

Guang Yee (guang-yee) wrote :

1175367 I think

Proposed patch is on bug 1175367

Changed in python-keystoneclient:
status: Confirmed → In Progress
summary: - Memcache signing middleware improperly implemented
+ Memcache signing middleware improperly implemented (CVE-2013-2167)
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
importance: Undecided → Low
status: New → In Progress
Thierry Carrez (ttx) wrote :

Sent downstream. Proposed public disclosure date/time: Wednesday, June 19, 1500UTC.

Changed in ossa:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-06-19
information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/33661

Changed in python-keystoneclient:
assignee: nobody → Thierry Carrez (ttx)
Thierry Carrez (ttx) on 2013-06-19
summary: - Memcache signing middleware improperly implemented (CVE-2013-2167)
+ [OSSA 2013-017] Memcache signing middleware improperly implemented
+ (CVE-2013-2167)

Reviewed: https://review.openstack.org/33661
Committed: http://github.com/openstack/python-keystoneclient/commit/eeefb784f24c37d5f56a421e1ccc911cace9385e
Submitter: Jenkins
Branch: master

commit eeefb784f24c37d5f56a421e1ccc911cace9385e
Author: Bryan D. Payne <email address hidden>
Date: Fri Jun 7 09:34:25 2013 -0700

    Fix memcache encryption middleware

    This fixes lp1175367 and lp1175368 by redesigning the memcache crypt
    middleware to not do dangerous things. It is forward compatible, but
    will invalidate any existing ephemeral encrypted or signed memcache
    entries.

    Change-Id: Ice8724949a48bfad3b8b7c41b5f50a18a9ad9f42
    Signed-off-by: Bryan D. Payne <email address hidden>

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-06-20
Changed in ossa:
status: Fix Committed → Fix Released
Dolph Mathews (dolph) on 2013-06-26
Changed in python-keystoneclient:
milestone: none → 0.3.0
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers