Client-accessible headers are used to send authentication information to other middlewares

Because this is an issue in Swift with tempauth, which only exists for testing and is not a production auth system, I do not think this is a security issue in Swift itself.

However, since this is an issue with the interaction of several projects as it relates to S3 access in Swift, and because it's based on the way auth works in Swift, I asked Tim to submit it agains Swift as a coordination point for this bug.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

just quick look of description (not tested yet), it looks correct. we may be able to make the hole with current authentication scheme. I'll try to test in my local env and then make a feedback later. Thanks for reporting, Tim.

If the bug is really only in the design of Swift3 for this operation and the other changes are merely fixing non-production test tooling (in Swift) or adding support for Swift3's needs (in keystonemiddleware and python-keystoneclient), then the OpenStack VMT won't be issuing an official OpenStack Security Advisory. In that case the Swift3 team is still welcome to still follow our processes documented at https://security.openstack.org/vmt-process.html and the OpenStack VMT can provide access to the list of downstream stakeholders if coordinated disclosure and advance notification are deemed useful.

Is there someone from the swift3 team we can subscribe here ?

That basically consists of Kota and I.

I think the main hangup at this point is related bug https://bugs.launchpad.net/keystone/+bug/1566416, which should probably be addressed in tandem as the details from this report greatly aid in discovering the other bug.

Rebased the swift3 patch against current master and rolled in the keystonemiddleware patch, since a lot has changed in the last six months.

Is there anything still needed in keytstonemiddleware at this point? I'm not sure here, please advise so we can move forward.

Likewise, i think the swift3 patch is sufficient if Tim is happy with it so we can get this released to the wild.

Thanks!

s3_token is still present on master in keystonemiddleware, and we don't really have much insight into how quickly/whether deployers have transitioned to using s3_token from swift3. I guess telling them "go use swift3's s3_token instead" could get us out of needing to have any patches for keystonemiddleware? May as well take the opportunity to delete it from master then.

With liberty EOLed, we can drop keystoneclient as being affected.

I'm still not sure whether we should hold and address the other bug at the same time or do them independently. If anyone else has insight, I'd appreciate the input.

Ok, droping keystoneclient is the right call and we should roll the patch for KSM then.

Thanks Tim! I'll wrangle some keystone folks (or do it myself) to make sure keystonemiddleware has a proposed patch / working patch asap.

Updated the swift3 patch to apply on top of https://review.openstack.org/#/c/406424/7 which will likely land first and makes swift3 tolerate an eventual fix to https://bugs.launchpad.net/keystone/+bug/1566416

It seems like we've come to a resolution on the Keystone bug, and I've recently retested the current patches for Swift and Swift3. Barring any objections, I'll propose the Swift patch early next week, land it on master, then backport it to Ocata. After that, we can land the Swift3 patch (as Swift3 now uses Ocata Swift in the gate). Around the same time, I'll get a patch proposed for swauth, and a backport for Newton keystonemiddleware.

We still need a determination as to whether this embargoed bug will end in a coordinated OpenStack Security Advisory for swift/keystonemiddleware, or if we're only keeping this report under wraps for now at the request of the swift3 developers. If there is need for an OSSA then we need an impact description and lead time to notify downstream developers before patches are pushed into public code review. Also, making this bug public probably involves making bug 1566416 public too, since some of its details are discussed here.

Input from the Swift and Keystone core security reviewers on these matters would be appreciated.

Reviewed: https://review.openstack.org/438719
Committed: https://git.openstack.org/cgit/openstack/swift3/commit/?id=cd094eea4a0da214d11b67ee6371629379afee1f
Submitter: Jenkins
Branch: master

commit cd094eea4a0da214d11b67ee6371629379afee1f
Author: Tim Burke <email address hidden>
Date: Mon Mar 21 20:40:41 2016 -0700

    Stop using client headers for cross-middleware communication

    Previously, we would use client-accessible headers to pass the S3 access
    key, signature, and normalized request to authentication middleware.
    Specifically, we would send the following headers:

        Authorization: AWS <access key>:<signature>
        X-Auth-Token: <base64-encoded normalized request>

    However, few authentication middleware would validate that the
    Authorization header actually started with "AWS ", the only prefix that
    Swift3 would actually handle. As a result, the authentication
    middlewares had no way to validate that the normalized request came from
    swift3 rather than the client itself. This leads to a security hole
    wherein an attacker who has captured a single valid request through the
    S3 API or who has obtained a valid pre-signed URL may impersonate the
    user that issued the request or pre-signed URL indefinitely through the
    Swift API.

    Now, the S3 authentication information will be placed in a separate
    namespace in the WSGI environment, completely inaccessible to the
    client. Specifically,

        environ['swift3.auth_details'] = {
            'access_key': <access key>,
            'signature': <signature>,
            'string_to_sign': <normalized request>,
        }

    (Note that the normalized request is no longer base64-encoded.)

    UpgradeImpact

    This is a breaking API change. No currently-deployed authentication
    middlewares will work with this. This patch includes a fix for s3_token
    (used to authenticate against Keystone); any deployers still using
    keystonemiddleware to provide s3_token should switch to using swift3.
    Similar changes are being proposed for Swauth and tempauth. Proprietary
    authentication middlewares will need to be updated to use the new
    environment keys as well. When upgrading Swift3, operators will need to
    upgrade their Swift3-capable authentication middleware at the same time.

    Closes-Bug: 1561199
    Change-Id: Ia3fbb4938f0daa8845cba4137a01cc43bc1a713c
    Depends-On: Ib90adcc2f059adaf203fba1c95b2154561ea7487

Since this bug is now public, I'm setting bug 1566416 to public too.

Fixed in swift following https://review.openstack.org/#/c/438720/ (which I forgot to link to the bug)

Released on master in 2.14.0. Backported to ocata as https://github.com/openstack/swift/commit/302871d so it'll be released there if/when we have a 2.13.2

[swauth] Released on master in 1.3.0: https://github.com/openstack/swauth/commit/2a84fe7c693ade7c63e5bd59e2f3af5bd40541c9

With s3token moved to being maintained outside of KSM, I'm marking this invalid.

wont fix*

Given fixes for this landed in swift prior to creation of our oldest currently supported stable branches, and keystonemiddleware extracting the problem bits years ago as well, I don't see any reason to publish a security advisory for this. As such, I'm marking our advisory task Won't Fix.