python-swiftclient

Missing SSL cert check in Swift python client (CVE-2013-6396)

Bug #1199783 reported by Thierry Carrez
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Fix Released
Medium
Jeremy Stanley
python-swiftclient
Fix Released
High
Thomas Leaman

Bug Description

Thomas Leaman (HP) reported in public bug 1192229 that the Swift python client does not perform any kind of SSL certificate validation, which makes it vulnerable to MiM attacks.

This bug was filed to track this specific issue.

CVE References

Thierry Carrez (ttx)
Changed in ossa:
status: New → Incomplete
Thomas Leaman (thomas-leaman)
Changed in python-swiftclient:
assignee: nobody → Thomas Leaman (thomas-leaman)
Thierry Carrez (ttx)
Changed in python-swiftclient:
importance: Undecided → High
OpenStack Infra (hudson-openstack)
Changed in python-swiftclient:
status: New → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

Thomas, any progress on a patch ?

Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

Of sorts, yes. https://review.openstack.org/#/c/33473/

Revision history for this message
Thierry Carrez (ttx) wrote :

@fungi: your take on this one ? Since it's client-side I would classify as a vulnerability, although it's hardly a surprise.

Revision history for this message
Kurt Seifried (kseifried) wrote :

Sounds like this needs a CVE. Thierry ok if I assign one?

Revision history for this message
Thierry Carrez (ttx) wrote :

@Kurt: agreed

Revision history for this message
Thierry Carrez (ttx) wrote :

Sidenote: we should more aggressively request CVEs for public vulnerabilities, even if the patch isn't there yet.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, this clearly needs an advisory (lack of validation, enabling credential and content disclosure to a MitM attacker).

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → High
assignee: nobody → Jeremy Stanley (fungi)
Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

Is someone actively reviewing the patch for this ( https://review.openstack.org/#/c/33473/ )?
It seems to have been sitting untouched for a while now.

Revision history for this message
Kurt Seifried (kseifried) wrote :

Added CVE as per https://bugzilla.redhat.com/show_bug.cgi?id=1031652

Jeremy Stanley (fungi)
summary: - Missing SSL cert check in Swift python client
+ Missing SSL cert check in Swift python client (CVE-2013-6396)
Revision history for this message
Jeremy Stanley (fungi) wrote :

Proposed impact description (plagarizing from Thierry's Glance version from bug 1192229)
--
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client request (or response).

Changed in ossa:
status: Confirmed → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

Impact desc looks good.
Was wondering though: Once the MiM setup captures the token, couldn't it reuse it for full account access and profit ?

Changed in ossa:
importance: High → Medium
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Thierry,

Yes, I believe the token will give full access to Swift and any other services the the token provides access to (potentially Glance/etc) until it expires.

Revision history for this message
Jakub Ružička (jruzicka) wrote :

Instead of reinventing the wheel with pyOpenSSL, I think it would be much better to use requests module which provide this functionality and is used by other OpenStack clients.

See bug 1255279 for more information.

Revision history for this message
Thomas Leaman (thomas-leaman) wrote :

Jakub, this suggestion has been raised and addressed before (see the comments on https://review.openstack.org/#/c/33473/ around patchset 9).

Revision history for this message
Jeremy Stanley (fungi) wrote :

Updated impact description...
--------

Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials.

Revision history for this message
Thierry Carrez (ttx) wrote :

+1 on impact desc

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

I started a patch for switching to python-requests in order to fix this bug:
  https://review.openstack.org/#/c/69187

This have been discussed during the last swift meeting (see #topic swiftclient + ssl):
  http://eavesdrop.openstack.org/meetings/swift/2014/swift.2014-01-22-19.00.log.html

As long as python-requests does not feature ssl compression disabling, this will be vulnerable to a CRIME like attack. Though certificate verification is a real issue that should be addressed asap.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-swiftclient (master)

Reviewed: https://review.openstack.org/69187
Committed: https://git.openstack.org/cgit/openstack/python-swiftclient/commit/?id=b182112719ab87942472e44aa3446ea0eb19a289
Submitter: Jenkins
Branch: master

commit b182112719ab87942472e44aa3446ea0eb19a289
Author: Tristan Cacqueray <email address hidden>
Date: Fri Jan 24 17:40:16 2014 +0100

    Port to python-requests

    Currently, httplib implementation does not support SSL certificate
    verification. This patch fixes this. Note that ssl compression parameter
    and 100-continue thing is still missing from requests, though those are
    lower priority.

    Requests now takes care of:
    * proxy configuration (get_environ_proxies),
    * chunked encoding (with data generator),
    * bulk uploading (with files dictionary),
    * SSL certificate verification (with 'insecure' and 'cacert' parameter).

    This patch have been tested with requests 1.1.0 (CentOS 6) and requests
    2.2.1 (current version).

    Change-Id: Ib5de962f4102d57c71ad85fd81a615362ef175dc
    Closes-Bug: #1199783
    DocImpact
    SecurityImpact

Changed in python-swiftclient:
status: In Progress → Fix Committed
Revision history for this message
Matthew Thode (prometheanfire) wrote :

fix released 2.0.2?

Revision history for this message
Matthew Thode (prometheanfire) wrote :

Also, are we going to have a patch backported to >swiftclient-2 ? If not then the vuln still exists for grizzly releases.

Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: In Progress → Fix Released
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@prometheanfire: python-swiftclient-2.0.2 contains the fix.

The version have bumped to 2.0 because this fix will break 1.0 (if certificates weren't verified, 1.0 users would be required to add the '--insecure' parameter for swiftclient to keep working). Thus there is no plan to backport this to swiftclient 1.0 branch.

John Dickinson (notmyname)
Changed in python-swiftclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.