Incorrect condition expression for ssl_insecure (CVE-2014-7144)

Bug #1353315 reported by Qin Zhao
272
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Medium
Grant Murphy
keystonemiddleware
High
wanghong
python-keystoneclient
High
Qin Zhao

Bug Description

In auth_token.py, _http_request(), self.ssl_insecure is a string. If insecure option is set in nova api-paste.ini, whatever it is 'true' or 'false', kwargs['verify'] will become False.

        if self.ssl_insecure:
            kwargs['verify'] = False

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/112232

Changed in python-keystoneclient:
assignee: nobody → Qin Zhao (zhaoqin)
status: New → In Progress
Revision history for this message
Jamie Lennox (jamielennox) wrote : Re: Incorrect condition expression for ssl_insecure

We are no longer making functional changes to auth_token in keystoneclient. Refiled against keystonemiddleware.

Changed in python-keystoneclient:
status: In Progress → Invalid
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

The same comments about the option set in the paste.ini for bug 1354269 and this being managed by the oslo.config object apply here.

This, if oslo.config is used as a fix, is a duplicate of bug 1354269

Revision history for this message
Dolph Mathews (dolph) wrote :

The scenario where a deployer specifically sets:

  ssl_insecure = false

... in an attempt to ensure that verification is performed will be sorely disappointed to learn that it is not, and perhaps left vulnerable. This qualifies as a security fix and *should* be fixed in python-keystoneclient as well as keystonemiddleware.

Changed in python-keystoneclient:
status: Invalid → Triaged
Changed in keystonemiddleware:
status: New → Triaged
importance: Undecided → High
Changed in python-keystoneclient:
importance: Undecided → High
information type: Public → Public Security
Changed in ossa:
status: New → Incomplete
Revision history for this message
Dolph Mathews (dolph) wrote :

After reading the code & proposed patch, I'm not sure that the assertion made by this bug is correct: "In auth_token.py, _http_request(), self.ssl_insecure is a string" (it's defined using oslo to be a bool). Can someone confirm that this is an issue?

Also, my example config in comment #4 should not have used "ssl_insecure." The correct configuration option is actually:

    insecure = false

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

Adding OSSN placeholder in case one is warranted.

Revision history for this message
Dolph Mathews (dolph) wrote :

Hmm, I'm not confident I know the difference between OS Security Advisories and Notes - should Advisory be removed here?

Revision history for this message
wanghong (w-wanghong) wrote :

I have done the tests and can confirm this is an issue. If I add 'insecure = 1' in /etc/nova/nova.conf it is OK, the 'insecure' can be convert to bool. But, if I add 'insecure = 1' in /etc/nova/api-paste.ini the 'insecure' would be a string. This is because when add conf in /etc/nova/api-paste.ini the conf will be passed into AuthProtocol class as initialization parameters rather than passed into oslo.

Changed in keystonemiddleware:
assignee: nobody → wanghong (w-wanghong)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/113191

Changed in keystonemiddleware:
status: Triaged → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote : Re: Incorrect condition expression for ssl_insecure

So.. how we consider this this depends a bit how common it is to pass such parameters in api-paste.conf instead of nova.conf. Are both options fully supported ? Was one deprecated in favor of the other ?

Revision history for this message
Brant Knudson (blk-u) wrote :

Thierry - config options for auth_token can be put in either api-paste.ini or .conf. Both are fully supported. I think the plan was to deprecate api-paste.ini options but that never happened.

Thierry Carrez (ttx)
Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
Thierry Carrez (ttx)
no longer affects: ossn
Grant Murphy (gmurphy)
Changed in ossa:
assignee: nobody → Grant Murphy (gmurphy)
Revision history for this message
Grant Murphy (gmurphy) wrote :

Draft impact description:

Title: TLS certificate verification option not honoured in paste configurations
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.9.0 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in python-keystoneclient and keystonemiddleware. When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware and python-keystoneclient configured via a paste.ini file are affected by this flaw.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Impact description in #12 looks good to me.

Maybe a note that ssl configuration in .conf is not impacted if no ssl configuration is done in paste file.

Revision history for this message
Thierry Carrez (ttx) wrote :

Maybe "certificate" -> "cert" and "configurations" -> "configs" in the title for shorter title line ?

Maybe mention that the vulnerability is in keystonemiddleware, which was in the past shipped as part of python-keystoneclient (that may make it clearer what they need to update)

Changed in ossa:
status: Confirmed → Triaged
Changed in keystonemiddleware:
milestone: none → 1.2.0
Changed in python-keystoneclient:
milestone: none → 0.11.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/113191
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=5835b232519be6a0497ee77316307acb79d9c7b1
Submitter: Jenkins
Branch: master

commit 5835b232519be6a0497ee77316307acb79d9c7b1
Author: wanghong <email address hidden>
Date: Mon Aug 11 15:54:47 2014 +0800

    convert the conf value into correct type

    If options are set in paste file e.g. api-paste.ini for nova, all
    the option values passed into AuthProtocol.conf are string type.
    So, we should convert the conf value into correct type.

    Change-Id: I0367cd6b54ee49f5db6541840539e7700f241f87
    Closes-Bug: #1353315

Changed in keystonemiddleware:
status: In Progress → Fix Committed
Revision history for this message
Grant Murphy (gmurphy) wrote : Re: Incorrect condition expression for ssl_insecure

Impact description - update

Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.

Changed in python-keystoneclient:
status: Triaged → In Progress
Grant Murphy (gmurphy)
Changed in ossa:
status: Triaged → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

+1 impact desc

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This will be released in a subsequent point release (slated for 0.11.1) once it merges.

Changed in python-keystoneclient:
milestone: 0.11.0 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/112232
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=5c9c97f1a5dffe5964e945bf68d009fd68e616fc
Submitter: Jenkins
Branch: master

commit 5c9c97f1a5dffe5964e945bf68d009fd68e616fc
Author: Qin Zhao <email address hidden>
Date: Wed Aug 6 15:47:58 2014 +0800

    Fix the condition expression for ssl_insecure

    In the existing code, self.ssl_insecure is a string. If insecure
    option is set in nova api-paste.ini, whatever it is 'true' or
    'false', kwargs['verify'] will become False. This commit corrects
    the condition expression. This patch is backported from
    https://review.openstack.org/#/c/113191/

    Change-Id: I91db8e1cb39c017167a4160079846ac7c0663b03
    Closes-Bug: 1353315

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Changed in python-keystoneclient:
milestone: none → 0.11.0
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Incorrect condition expression for ssl_insecure

This bug has been assigned CVE-2014-7144.

summary: - Incorrect condition expression for ssl_insecure
+ Incorrect condition expression for ssl_insecure (CVE-2014-7144)
Dolph Mathews (dolph)
Changed in keystonemiddleware:
status: Fix Committed → Fix Released
Revision history for this message
Grant Murphy (gmurphy) wrote :
Changed in ossa:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers