keystoneauth auth plugins should not use etree XML parsing

Bug #1534284 reported by Brant Knudson on 2016-01-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Brant Knudson

Bug Description

XML parsing is surprisingly difficult and fraught with danger, for example entity expansion makes it easy to cause a lot of memory to be used and therefore crash your system. keystoneclient is using etree parsing which has these potential issues, although in the case of keystoneclient it's the response from the IdP which I think is generally trusted.

This is in python-keystoneclient/keystoneclient/contrib/auth/v3/

There's a defusedxml parser that has protections against these attacks and should therefore be used instead if possible - - the docs for this page also include some examples of other possible attacks.

This was caught by bandit 0.17.0.

I'm going to start this out as private security so we can think about it some more before it goes public, even though it's probably not something that needs an issue since I think the source is generally trusted. If you can't trust your IdP then who can you trust?

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated

So this affect the saml2 authentication plugin and the exploit needs to first impersonate an identity provider in order to answer with malicious xml content ?

Brant Knudson (blk-u) wrote :

It can either be the Service Provider response or the Identity Provider response. These values are both parsed using lxml.etree.XML.

Brant Knudson (blk-u) wrote :

keystoneauth has this same code.

Adding keystone-coresec for further investigation.

So in order to impersonate Service Provider response or the Identity Provider response, these endpoints need to be in http right ? If so, this is likely a C1 type of bug (according to ).

Jeremy Stanley (fungi) wrote :

So does this mean that (say in a federated auth model) any malicious actor at a configured IdP can crash services calling into keystoneauth?

Brant Knudson (blk-u) wrote :

Jeremy - my understanding is that, yes, if you control the SP or the IdP then you can crash any application using keystoneauth / keystoneclient when the system is configured for SAML authentication (federation) by crafting a response to exploit the expansion function in lxml.etree. It's possible the SP/IdP might even be able to read a file off the system via external entity expansion... I'll have to look at the code some more... the client takes the value sent to it and then modifies it for reuse without getting rid of stuff that would be invalid or ignored as far as I can tell.

If somebody controls the SP and/or IdP then there's probably all sorts of other badness that they can get up to that's worse than crashing the applications. Keystone does try to protect the deployment from some of these things (for example, the mapping needs to be valid and will therefore limit what the SP and IdP can get up to... a sane configuration would prevent the SP/IdP from becoming admin through the mapping).

So, keystone will protect against some bad actions by SP/IdP. The deployer might think that this makes them "safe" and trust their external IdP. The SP/IdP admin could exploit this to crash their (or their customers') systems (or read files off their systems?) by crafting bad responses.

Tristan - I wouldn't object to a C1 classification. I don't know of a real exploit here, this is all speculative.

Morgan Fainberg (mdrnstm) wrote :

So, this likely can't crash keystone but could cause issues with the client. Depends on how apache_saml2 processing handles this problem.

This is not likely to hit anything outside of client(s). It doesn't change the risk of ugly things.

Morgan Fainberg (mdrnstm) wrote :

This also likely can be made public, but I'm happy to let brant think that over a bit more.

Morgan Fainberg (mdrnstm) wrote :

Ah you did say it was only consumers of ksa not keystoneserver. Sorry.

I've removed the privacy settings and put the OSSA task as Won't Fix based on above comments. This can be put back to incomplete if the situation changes.

description: updated
Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public
tags: added: security
Changed in keystoneauth:
status: New → Triaged
importance: Undecided → Medium
Morgan Fainberg (mdrnstm) wrote :

Marking this as "wont fix" against KSC as it shouldn't be needed long term (Session, AuthPlugins, and CLI are all being removed soon/are deprecated)

Changed in python-keystoneclient:
status: New → Won't Fix
summary: - keystoneclient should not use etree XML parsing
+ keystoneauth auth plugins should not use etree XML parsing
Jamie Lennox (jamielennox) wrote :

Unfortunately defusedxml is not part of global-requirements and that's not a battle i care to have. However we are also wanting to move away from lxml to remove the C dependencies that lxml bring. So alternative options would be appreciated.

For a shorter term fix, googling the issue brings up [1], suggesting we can do:

    from lxml import etree
    parser = etree.XMLParser(resolve_entities=False)

I think (i haven't looked closely) that this should be safe for SAML. Can we update bandit to check for this specifically?


Fix proposed to branch: master

Changed in keystoneauth:
assignee: nobody → Kairat Kushaev (kkushaev)
status: Triaged → In Progress
Changed in keystoneauth:
assignee: Kairat Kushaev (kkushaev) → Pavlo Shchelokovskyy (pshchelo)
Morgan Fainberg (mdrnstm) wrote :

Unassigning due to inactivity

Changed in keystoneauth:
status: In Progress → Triaged
assignee: Pavlo Shchelokovskyy (pshchelo) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers