User Enumeration and account brute force within Eucalyptus 1.6.2 for Enterprise Cloud

Bug #579942 reported by CERT on 2010-05-13
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eucalyptus
Fix Released
Undecided
Daniel Nurmi
eucalyptus (Ubuntu)
High
Chris Cheney
Lucid
Low
Chris Cheney
Maverick
High
Chris Cheney

Bug Description

I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.

When an incorrect user name is supplied to the login page the following error is returned:

 Error: Incorrect password

 As compared to an invalid user name which gives:

 Error: Username '' not found

Once a valid username has been identified it is then possible to brute force the password without any account lock out.

======

IMPACT:
 * This bug allows someone to brute force user name and passwords on UEC by telling them specifically what is wrong about the login attempt.

ADDRESSED:
 * This bug is addressed by changing the error messages to be a less descriptive 'Login incorrect'.

REPRODUCE:
 * To reproduce this issue, try to login with an invalid username or password.

REGRESSION POTENTIAL:
 * The chances for regression are relatively low.

======

Kees Cook (kees) wrote :

Thanks, this clearly needs to be fixed. Luckily it does not provide an immediate security threat, as the brute forcing may take a while.

Changed in eucalyptus (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
assignee: nobody → Canonical Server Team (canonical-server)
CERT (cert) wrote :

Any update on a planned fix?

Dustin Kirkland  (kirkland) wrote :

Kees-

What behavior would you like to see here?

Changed in eucalyptus:
assignee: nobody → Dustin Kirkland (kirkland)
assignee: Dustin Kirkland (kirkland) → Daniel Nurmi (nurmi)
Dustin Kirkland  (kirkland) wrote :

FYI, the relevant code is in:
 ./clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java

See lines
404: throw new SerializableException("Username '" + userName + "' not found");
419: throw new SerializableException("Incorrect password");
672: throw new SerializableException("Username '" + userName + "' not found");

Changed in eucalyptus (Ubuntu):
assignee: Canonical Server Team (canonical-server) → Chris Cheney (ccheney)
Changed in eucalyptus (Ubuntu Lucid):
assignee: nobody → Chris Cheney (ccheney)
Changed in eucalyptus (Ubuntu Maverick):
assignee: Chris Cheney (ccheney) → Dave Walker (davewalker)
Changed in eucalyptus (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
status: Confirmed → Triaged
Changed in eucalyptus (Ubuntu Maverick):
status: Confirmed → Triaged
Changed in eucalyptus (Ubuntu Lucid):
milestone: none → lucid-updates
Kees Cook (kees) wrote :

The correct way to handle this is to have a single error message instead of two, so that bad password is indistinguishable from bad username.

Changed in eucalyptus (Ubuntu Maverick):
assignee: Dave Walker (davewalker) → Chris Cheney (ccheney)
Chris Cheney (ccheney) on 2010-06-07
description: updated
Chris Cheney (ccheney) wrote :

I have tested my fix and it works for me. :-)

Mathias Gug (mathiaz) on 2010-06-08
visibility: private → public

Accepted into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in eucalyptus (Ubuntu Lucid):
status: Triaged → Fix Committed
tags: added: verification-needed
C de-Avillez (hggdh2) wrote :

Confirmed to be fixed. The same error message is returned for either a bad userId or a bad password.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eucalyptus - 1.6.2-0ubuntu30.2

---------------
eucalyptus (1.6.2-0ubuntu30.2) lucid-proposed; urgency=low

  * Revert: node/handlers_kvm.c: fix console bug (was only showing first 64K),
    LP: #566793
  * clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java:
    - fix user enumeration and account brute force, LP: #579942
  * debian/eucalyptus-sc.upstart: Bump maximum number of loop devices for
    SC to 512, LP: #586134

eucalyptus (1.6.2-0ubuntu30.1) lucid-proposed; urgency=low

  Address LP: #565101
  * debian/eucalyptus.conf: set default JVM_MEM option
  * debian/eucalyptus-common.eucalyptus.upstart: use $JVM_MEM
    from eucalyptus.conf, or default to 512m
  * tools/eucalyptus.conf.5: document the JVM_MEM option

  Cherry-pick upstream commit r1223..1227:
  * node/handlers.c, node/handlers_kvm.c: handle situation where NC's
    do not detach pthreads, LP: #567371
  * node/handlers_kvm.c: fix console bug (was only showing first 64K),
    LP: #566793
  * clc/modules/storage-common/src/main/java/edu/ucsb/eucalyptus/storage/StorageManager.java,
    clc/modules/storage-common/src/main/java/edu/ucsb/eucalyptus/storage/fs/FileSystemStorageManager.java,
    clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java,
    clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusManager.java,
    clc/modules/wsstack/src/main/java/com/eucalyptus/ws/handlers/ServiceSinkHandler.java:
    - fix Walrus OOM errors (java heap), LP: #565101
 -- Chris Cheney <email address hidden> Fri, 04 Jun 2010 00:39:00 -0500

Changed in eucalyptus (Ubuntu Lucid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Please upload the lucid fix to maverick as soon as possible (SRU policy). Bumping priority.

Changed in eucalyptus (Ubuntu Maverick):
importance: Low → High
milestone: none → maverick-alpha-2
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eucalyptus - 1.6.2+bzr1230-0ubuntu1

---------------
eucalyptus (1.6.2+bzr1230-0ubuntu1) maverick; urgency=low

  [ Colin Watson ]
  * debian/eucalyptus-cloud.eucalyptus-cloud-publication.upstart: Only start
    after avahi-daemon has started.

  [ Dave Walker (Daviey) ]
  * Merge upstream branch, 1.6.2 (r1230)
  * Switch to dpkg-source 3.0 (quilt) format
    - Extracted the following patches from our bzr branch, into flat patches.
  * debian/build-jars: Replaced asm2 with asm3-all to match new groovy dependency.
  * clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/EucalyptusWebBackendImpl.java:
    - fix user enumeration and account brute force. Courtesy of Chris Cheney. (LP: #579942)
  * debian/eucalyptus-sc.upstart: Bump maximum number of loop devices for SC to 512. (LP: #586134)
 -- Dave Walker (Daviey) <email address hidden> Mon, 14 Jun 2010 13:48:17 +0100

Changed in eucalyptus (Ubuntu Maverick):
status: Triaged → Fix Released
Changed in eucalyptus:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers