OpenStackKeyring's encryption code does not provide confidentiality

Bug #1319381 reported by Alex Gaynor on 2014-05-14
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Undecided
Unassigned
python-openstackclient
Fix Released
High
Dean Troyer

Bug Description

The keying used for the block cipher in the keyring code (https://github.com/openstack/python-openstackclient/blob/master/openstackclient/common/openstackkeyring.py#L40). Is produced by taking the tail of the module name and appending 0s to it. This means that the key is completely predictable to an attacker, and thus this encryption provides no confidentiality, passwords are as good as plaintext.

As an aside, this code also assumes that PyCrypto provides a default IV (which is bad), however this is no longer true in more recent PyCryptos; to me this indicates that this code probably isn't used (since the requirements.txt doesn't pin the version) and thus should be removed rather than rehabilitated.

Thierry Carrez (ttx) wrote :

python-openstackclient is not an official project nor is it supported by the OpenStack Vulnerability Management Team, so this won't result in a OSSA. This still very much needs to be fixed, though ! (especially as openstackclient would like to become official, and therefore probably supported, one day)

Changed in ossa:
status: New → Won't Fix
Alex Gaynor (alex-gaynor) wrote :

Is anyone presently working on a patch (and if not, do people generally agree with my analysis that this code should just be deleted?); and will a CVE be obtained for this?

Dean Troyer (dtroyer) wrote :

Agreed that the correct resolution is to just remove the capability and not set false user expectations.

Changed in python-openstackclient:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dean Troyer (dtroyer)
Jeremy Stanley (fungi) wrote :

For what it's worth, I tried to use it at one point and was never able to even get the keyring to work in plaintext mode much less encrypted. If the feature's nonfunctional, then there's probably no need for the python-openstackclient authors to issue an advisory, obtain a CVE or even keep this bug private since it wouldn't be exploitable anyway.

Alex Gaynor (alex-gaynor) wrote :

On the basis of this, I've filed a public review to remove the code: https://review.openstack.org/#/c/104344/

Jeremy Stanley (fungi) wrote :

I recommend switching the bug to public (not even public security, since there's no vulnerability given that the insecure feature also seems to be entirely nonfunctional).

information type: Private Security → Public

Reviewed: https://review.openstack.org/104344
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=b8f534df011fd3b16a182d25f627876aeecfee07
Submitter: Jenkins
Branch: master

commit b8f534df011fd3b16a182d25f627876aeecfee07
Author: Alex Gaynor <email address hidden>
Date: Wed Jul 2 14:12:44 2014 -0700

    Remove keyring support from openstackclient

    * The encryption it purports to offer is completely insecure.
    * It also appears to be broken.

    Closes-Bug: #1319381
    Change-Id: Id15ecfbbfd15f142b14c125bfd85afd5032699ac

Changed in python-openstackclient:
status: Triaged → Fix Committed
Dean Troyer (dtroyer) on 2014-09-06
Changed in python-openstackclient:
milestone: none → m5
Dean Troyer (dtroyer) on 2014-09-09
Changed in python-openstackclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers