Python client library for Keystone

[OSSA-2013-013] Updating password via keystoneclient CLI should be done securely

Reported by Jake Dahn on 2012-02-22
274
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Low
Jeremy Stanley
python-keystoneclient
High
Pradeep Kilambi

Bug Description

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Password:
                        Repeat Password:

CVE References

Jake Dahn (jakedahn) on 2012-02-22
tags: added: python-keystoneclient
Brian Waldon (bcwaldon) on 2012-02-22
Changed in keystone:
assignee: nobody → Brian Waldon (bcwaldon)
Brian Waldon (bcwaldon) on 2012-02-22
Changed in keystone:
status: New → In Progress
Brian Waldon (bcwaldon) on 2012-03-23
Changed in keystone:
status: In Progress → Triaged
assignee: Brian Waldon (bcwaldon) → nobody
Changed in keystone:
assignee: nobody → adapaka bhavaniprasad (adapaka-prasad)
assignee: adapaka bhavaniprasad (adapaka-prasad) → nobody
Changed in keystone:
assignee: nobody → adapaka bhavaniprasad (adapaka-prasad)
Joseph Heck (heckj) wrote :

adapaka - how are you doing on resolving this bug? Since you assigned it to yourself, I'm assuming you're trying to do that. If not, I'll move it back to unassigned.

Changed in keystone:
importance: Undecided → High
Changed in keystone:
assignee: adapaka bhavaniprasad (adapaka-prasad) → nobody
Thierry Carrez (ttx) on 2012-07-04
affects: keystone → python-keystoneclient
Thierry Carrez (ttx) on 2012-08-01
tags: added: security
removed: python-keystoneclient

Fix proposed to branch: master
Review: https://review.openstack.org/12669

Changed in python-keystoneclient:
assignee: nobody → Bhuvaneswaran A (bhuvan)
status: Triaged → In Progress

For the record, posted a patch for review.
For backward compatibility and support automated environment, retained current functionality. That said, with the new patch, user can either specify new password in command line, or enter using the prompt.

Kurt Seifried (kseifried) wrote :

Assigned a CVE for this as per http://openwall.com/lists/oss-security/2013/04/26/6

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

[root@...s ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password

CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.

Thierry Carrez (ttx) wrote :

Could make sense to release a security advisory for this one when fixed. That would be our first for a client library/CLI...

information type: Public → Public Security
Thierry Carrez (ttx) wrote :

@Bhuvan: care to revive your proposed patch ?

Thierry Carrez (ttx) wrote :

Looks like we'll have to find someone else to revive that patch.

Pradeep Kilambi (pkilambi) wrote :

If no one else is working on this, I can take a look. Do we have to revive the old patch or, can i come up with some thing different.

Thierry Carrez (ttx) wrote :

@Pradeep: you can definitely come up with something different. reading from the original proposal it wasn't exactly perfect or approved yet.

Pradeep Kilambi (pkilambi) wrote :

Thanks! I'll get started on this.

Fix proposed to branch: master
Review: https://review.openstack.org/28686

Changed in python-keystoneclient:
assignee: Bhuvaneswaran A (bhuvan) → Pradeep Kilambi (pkilambi)

Fix proposed to branch: master
Review: https://review.openstack.org/28702

Reviewed: https://review.openstack.org/28702
Committed: http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77
Submitter: Jenkins
Branch: master

commit f2e0818bc97bfbeba83f6abbb07909a8debcad77
Author: Pradeep Kilambi <email address hidden>
Date: Thu May 9 09:29:02 2013 -0700

    Allow secure user password update.

    This patch allows the ability for user password to be updated via
    a command prompt so the password doesnt show up in the bash history.
    The prompted password is asked twice to verify the match.
    If user cntl-D's the prompt a message appears suggesting user to use
    either of the options to update the password.

    Fixes: bug#938315

    Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39

Changed in python-keystoneclient:
status: In Progress → Fix Committed

Proposed impact description...

    Title: Keystone client local information disclosure
    Reporter: Jake Dahn (Nebula)
    Products: python-keystoneclient
    Affects: All versions

    Description:
    Jake Dahn from Nebula reported a vulnerability that the keystone
    client only allows passwords to be updated in a clear text
    command-line argument, which may enable other local users to obtain
    sensitive information by listing the process and potentially leaves
    a record of the password within the shell command history.

Thierry Carrez (ttx) wrote :

+1 to impact desc

Russell Bryant (russellb) wrote :

+1, description sounds good to me, too

Thierry Carrez (ttx) wrote :

OSSA-2013-013.
Still needs to be pushed to openstack-announce.

Changed in ossa:
assignee: nobody → Jeremy Stanley (fungi)
importance: Undecided → Low
status: New → Fix Committed
summary: - Updating password via keystoneclient CLI should be done securely.
+ [OSSA-2013-013] Updating password via keystoneclient CLI should be done
+ securely
Jeremy Stanley (fungi) on 2013-05-24
Changed in ossa:
status: Fix Committed → Fix Released
Dolph Mathews (dolph) on 2013-05-29
Changed in python-keystoneclient:
milestone: none → 0.2.4
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers