Missing SSL cert check in Swift python client (CVE-2013-6396)

Bug #1199783 reported by Thierry Carrez on 2013-07-10
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Medium
Jeremy Stanley
python-swiftclient
High
Thomas Leaman

Bug Description

Thomas Leaman (HP) reported in public bug 1192229 that the Swift python client does not perform any kind of SSL certificate validation, which makes it vulnerable to MiM attacks.

This bug was filed to track this specific issue.

CVE References

Thierry Carrez (ttx) on 2013-07-10
Changed in ossa:
status: New → Incomplete
Changed in python-swiftclient:
assignee: nobody → Thomas Leaman (thomas-leaman)
Thierry Carrez (ttx) on 2013-07-12
Changed in python-swiftclient:
importance: Undecided → High
Changed in python-swiftclient:
status: New → In Progress
Thierry Carrez (ttx) wrote :

Thomas, any progress on a patch ?

Thierry Carrez (ttx) wrote :

@fungi: your take on this one ? Since it's client-side I would classify as a vulnerability, although it's hardly a surprise.

Kurt Seifried (kseifried) wrote :

Sounds like this needs a CVE. Thierry ok if I assign one?

Thierry Carrez (ttx) wrote :

@Kurt: agreed

Thierry Carrez (ttx) wrote :

Sidenote: we should more aggressively request CVEs for public vulnerabilities, even if the patch isn't there yet.

Jeremy Stanley (fungi) wrote :

Yes, this clearly needs an advisory (lack of validation, enabling credential and content disclosure to a MitM attacker).

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → High
assignee: nobody → Jeremy Stanley (fungi)
Thomas Leaman (thomas-leaman) wrote :

Is someone actively reviewing the patch for this ( https://review.openstack.org/#/c/33473/ )?
It seems to have been sitting untouched for a while now.

Jeremy Stanley (fungi) on 2013-11-27
summary: - Missing SSL cert check in Swift python client
+ Missing SSL cert check in Swift python client (CVE-2013-6396)
Jeremy Stanley (fungi) wrote :

Proposed impact description (plagarizing from Thierry's Glance version from bug 1192229)
--
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client request (or response).

Changed in ossa:
status: Confirmed → In Progress
Thierry Carrez (ttx) wrote :

Impact desc looks good.
Was wondering though: Once the MiM setup captures the token, couldn't it reuse it for full account access and profit ?

Changed in ossa:
importance: High → Medium

Thierry,

Yes, I believe the token will give full access to Swift and any other services the the token provides access to (potentially Glance/etc) until it expires.

Jakub Ruzicka (jruzicka) wrote :

Instead of reinventing the wheel with pyOpenSSL, I think it would be much better to use requests module which provide this functionality and is used by other OpenStack clients.

See bug 1255279 for more information.

Thomas Leaman (thomas-leaman) wrote :

Jakub, this suggestion has been raised and addressed before (see the comments on https://review.openstack.org/#/c/33473/ around patchset 9).

Jeremy Stanley (fungi) wrote :

Updated impact description...
--------

Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials.

Thierry Carrez (ttx) wrote :

+1 on impact desc

I started a patch for switching to python-requests in order to fix this bug:
  https://review.openstack.org/#/c/69187

This have been discussed during the last swift meeting (see #topic swiftclient + ssl):
  http://eavesdrop.openstack.org/meetings/swift/2014/swift.2014-01-22-19.00.log.html

As long as python-requests does not feature ssl compression disabling, this will be vulnerable to a CRIME like attack. Though certificate verification is a real issue that should be addressed asap.

Reviewed: https://review.openstack.org/69187
Committed: https://git.openstack.org/cgit/openstack/python-swiftclient/commit/?id=b182112719ab87942472e44aa3446ea0eb19a289
Submitter: Jenkins
Branch: master

commit b182112719ab87942472e44aa3446ea0eb19a289
Author: Tristan Cacqueray <email address hidden>
Date: Fri Jan 24 17:40:16 2014 +0100

    Port to python-requests

    Currently, httplib implementation does not support SSL certificate
    verification. This patch fixes this. Note that ssl compression parameter
    and 100-continue thing is still missing from requests, though those are
    lower priority.

    Requests now takes care of:
    * proxy configuration (get_environ_proxies),
    * chunked encoding (with data generator),
    * bulk uploading (with files dictionary),
    * SSL certificate verification (with 'insecure' and 'cacert' parameter).

    This patch have been tested with requests 1.1.0 (CentOS 6) and requests
    2.2.1 (current version).

    Change-Id: Ib5de962f4102d57c71ad85fd81a615362ef175dc
    Closes-Bug: #1199783
    DocImpact
    SecurityImpact

Changed in python-swiftclient:
status: In Progress → Fix Committed
Matthew Thode (prometheanfire) wrote :

fix released 2.0.2?

Matthew Thode (prometheanfire) wrote :

Also, are we going to have a patch backported to >swiftclient-2 ? If not then the vuln still exists for grizzly releases.

Changed in ossa:
status: In Progress → Fix Released

@prometheanfire: python-swiftclient-2.0.2 contains the fix.

The version have bumped to 2.0 because this fix will break 1.0 (if certificates weren't verified, 1.0 users would be required to add the '--insecure' parameter for swiftclient to keep working). Thus there is no plan to backport this to swiftclient 1.0 branch.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.