[OSSA-2013-013] Updating password via keystoneclient CLI should be done securely (CVE-2013-2013)

Bug #938315 reported by Jake Dahn
274
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Fix Released
Low
Jeremy Stanley
python-keystoneclient
Fix Released
High
Pradeep Kilambi

Bug Description

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Password:
                        Repeat Password:

Tags: security

CVE References

Jake Dahn (jakedahn)
tags: added: python-keystoneclient
Brian Waldon (bcwaldon)
Changed in keystone:
assignee: nobody → Brian Waldon (bcwaldon)
Brian Waldon (bcwaldon)
Changed in keystone:
status: New → In Progress
Brian Waldon (bcwaldon)
Changed in keystone:
status: In Progress → Triaged
assignee: Brian Waldon (bcwaldon) → nobody
Changed in keystone:
assignee: nobody → adapaka bhavaniprasad (adapaka-prasad)
assignee: adapaka bhavaniprasad (adapaka-prasad) → nobody
Changed in keystone:
assignee: nobody → adapaka bhavaniprasad (adapaka-prasad)
Revision history for this message
Joseph Heck (heckj) wrote :

adapaka - how are you doing on resolving this bug? Since you assigned it to yourself, I'm assuming you're trying to do that. If not, I'll move it back to unassigned.

Changed in keystone:
importance: Undecided → High
Changed in keystone:
assignee: adapaka bhavaniprasad (adapaka-prasad) → nobody
Revision history for this message
Alan Pevec (apevec) wrote :
Thierry Carrez (ttx)
affects: keystone → python-keystoneclient
Thierry Carrez (ttx)
tags: added: security
removed: python-keystoneclient
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12669

Changed in python-keystoneclient:
assignee: nobody → Bhuvaneswaran A (bhuvan)
status: Triaged → In Progress
Revision history for this message
Bhuvan Arumugam (bhuvan) wrote : Re: Updating password via keystoneclient CLI should be done securely.

For the record, posted a patch for review.
For backward compatibility and support automated environment, retained current functionality. That said, with the new patch, user can either specify new password in command line, or enter using the prompt.

Revision history for this message
Kurt Seifried (kseifried) wrote :

Assigned a CVE for this as per http://openwall.com/lists/oss-security/2013/04/26/6

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

[root@...s ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password

CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.

Revision history for this message
Thierry Carrez (ttx) wrote :

Could make sense to release a security advisory for this one when fixed. That would be our first for a client library/CLI...

information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

@Bhuvan: care to revive your proposed patch ?

Revision history for this message
Thierry Carrez (ttx) wrote :

Looks like we'll have to find someone else to revive that patch.

Revision history for this message
Pradeep Kilambi (pkilambi) wrote :

If no one else is working on this, I can take a look. Do we have to revive the old patch or, can i come up with some thing different.

Revision history for this message
Thierry Carrez (ttx) wrote :

@Pradeep: you can definitely come up with something different. reading from the original proposal it wasn't exactly perfect or approved yet.

Revision history for this message
Pradeep Kilambi (pkilambi) wrote :

Thanks! I'll get started on this.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/28686

Changed in python-keystoneclient:
assignee: Bhuvaneswaran A (bhuvan) → Pradeep Kilambi (pkilambi)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/28702

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/28702
Committed: http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77
Submitter: Jenkins
Branch: master

commit f2e0818bc97bfbeba83f6abbb07909a8debcad77
Author: Pradeep Kilambi <email address hidden>
Date: Thu May 9 09:29:02 2013 -0700

    Allow secure user password update.

    This patch allows the ability for user password to be updated via
    a command prompt so the password doesnt show up in the bash history.
    The prompted password is asked twice to verify the match.
    If user cntl-D's the prompt a message appears suggesting user to use
    either of the options to update the password.

    Fixes: bug#938315

    Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Updating password via keystoneclient CLI should be done securely.

Proposed impact description...

    Title: Keystone client local information disclosure
    Reporter: Jake Dahn (Nebula)
    Products: python-keystoneclient
    Affects: All versions

    Description:
    Jake Dahn from Nebula reported a vulnerability that the keystone
    client only allows passwords to be updated in a clear text
    command-line argument, which may enable other local users to obtain
    sensitive information by listing the process and potentially leaves
    a record of the password within the shell command history.

Revision history for this message
Thierry Carrez (ttx) wrote :

+1 to impact desc

Revision history for this message
Russell Bryant (russellb) wrote :

+1, description sounds good to me, too

Revision history for this message
Thierry Carrez (ttx) wrote :

OSSA-2013-013.
Still needs to be pushed to openstack-announce.

Changed in ossa:
assignee: nobody → Jeremy Stanley (fungi)
importance: Undecided → Low
status: New → Fix Committed
summary: - Updating password via keystoneclient CLI should be done securely.
+ [OSSA-2013-013] Updating password via keystoneclient CLI should be done
+ securely
Jeremy Stanley (fungi)
Changed in ossa:
status: Fix Committed → Fix Released
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.2.4
status: Fix Committed → Fix Released
Jeremy Stanley (fungi)
summary: [OSSA-2013-013] Updating password via keystoneclient CLI should be done
- securely
+ securely (CVE-2013-2013)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.