2010-05-13 12:39:46 |
CERT |
bug |
|
|
added bug |
2010-05-13 13:12:33 |
Kees Cook |
bug task added |
|
eucalyptus |
|
2010-05-13 13:14:39 |
Kees Cook |
eucalyptus (Ubuntu): status |
New |
Confirmed |
|
2010-05-13 13:14:42 |
Kees Cook |
eucalyptus (Ubuntu): importance |
Undecided |
Low |
|
2010-05-13 13:15:00 |
Kees Cook |
eucalyptus (Ubuntu): assignee |
|
Canonical Server Team (canonical-server) |
|
2010-05-26 23:27:09 |
Dustin Kirkland |
eucalyptus: assignee |
|
Dustin Kirkland (kirkland) |
|
2010-05-26 23:27:24 |
Dustin Kirkland |
eucalyptus: assignee |
Dustin Kirkland (kirkland) |
Daniel Nurmi (nurmi) |
|
2010-05-26 23:34:20 |
Dustin Kirkland |
eucalyptus (Ubuntu): assignee |
Canonical Server Team (canonical-server) |
Chris Cheney (ccheney) |
|
2010-05-26 23:36:14 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Lucid |
|
2010-05-26 23:36:14 |
Dustin Kirkland |
bug task added |
|
eucalyptus (Ubuntu Lucid) |
|
2010-05-26 23:36:14 |
Dustin Kirkland |
nominated for series |
|
Ubuntu Maverick |
|
2010-05-26 23:36:14 |
Dustin Kirkland |
bug task added |
|
eucalyptus (Ubuntu Maverick) |
|
2010-05-26 23:36:28 |
Dustin Kirkland |
eucalyptus (Ubuntu Lucid): assignee |
|
Chris Cheney (ccheney) |
|
2010-05-26 23:36:37 |
Dustin Kirkland |
eucalyptus (Ubuntu Maverick): assignee |
Chris Cheney (ccheney) |
Dave Walker (davewalker) |
|
2010-05-26 23:36:47 |
Dustin Kirkland |
eucalyptus (Ubuntu Lucid): status |
New |
Confirmed |
|
2010-05-26 23:36:52 |
Dustin Kirkland |
eucalyptus (Ubuntu Lucid): importance |
Undecided |
Low |
|
2010-05-26 23:36:54 |
Dustin Kirkland |
eucalyptus (Ubuntu Lucid): status |
Confirmed |
Triaged |
|
2010-05-26 23:36:55 |
Dustin Kirkland |
eucalyptus (Ubuntu Maverick): status |
Confirmed |
Triaged |
|
2010-05-26 23:37:03 |
Dustin Kirkland |
eucalyptus (Ubuntu Lucid): milestone |
|
lucid-updates |
|
2010-06-01 17:29:36 |
Dustin Kirkland |
eucalyptus (Ubuntu Maverick): assignee |
Dave Walker (davewalker) |
Chris Cheney (ccheney) |
|
2010-06-04 20:17:10 |
Launchpad Janitor |
branch linked |
|
lp:~ccheney/ubuntu/lucid/eucalyptus/lucid-sru |
|
2010-06-07 14:51:16 |
Chris Cheney |
description |
I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.
When an incorrect user name is supplied to the login page the following error is returned:
Error: Incorrect password
As compared to an invalid user name which gives:
Error: Username '' not found
Once a valid username has been identified it is then possible to brute force the password without any account lock out. |
I just wanted to raise a security issue directly with your team. Having installed Ubuntu Enterprise Cloud for some internal testing I have noticed that the admin function powered by eucalyptus is vulnerable to trivial user enumeration and password brute force attacks.
When an incorrect user name is supplied to the login page the following error is returned:
Error: Incorrect password
As compared to an invalid user name which gives:
Error: Username '' not found
Once a valid username has been identified it is then possible to brute force the password without any account lock out.
======
IMPACT:
* This bug allows someone to brute force user name and passwords on UEC by telling them specifically what is wrong about the login attempt.
ADDRESSED:
* This bug is addressed by changing the error messages to be a less descriptive 'Login incorrect'.
REPRODUCE:
* To reproduce this issue, try to login with an invalid username or password.
REGRESSION POTENTIAL:
* The chances for regression are relatively low.
====== |
|
2010-06-08 17:48:38 |
Mathias Gug |
visibility |
private |
public |
|
2010-06-08 17:57:29 |
Steve Langasek |
eucalyptus (Ubuntu Lucid): status |
Triaged |
Fix Committed |
|
2010-06-08 17:57:45 |
Steve Langasek |
tags |
|
verification-needed |
|
2010-06-08 18:14:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-proposed/eucalyptus |
|
2010-06-10 18:06:44 |
C de-Avillez |
tags |
verification-needed |
verification-done |
|
2010-06-14 13:03:18 |
Launchpad Janitor |
branch linked |
|
lp:~davewalker/eucalyptus/maverick_to_quilt |
|
2010-06-15 07:32:09 |
Launchpad Janitor |
eucalyptus (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
2010-06-15 07:32:45 |
Martin Pitt |
eucalyptus (Ubuntu Maverick): importance |
Low |
High |
|
2010-06-15 07:32:45 |
Martin Pitt |
eucalyptus (Ubuntu Maverick): milestone |
|
maverick-alpha-2 |
|
2010-06-15 15:45:10 |
Launchpad Janitor |
eucalyptus (Ubuntu Maverick): status |
Triaged |
Fix Released |
|
2010-06-15 16:44:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/eucalyptus |
|
2011-10-19 16:48:13 |
Jamie Strandboge |
removed subscriber Ubuntu Security Team |
|
|
|
2011-12-03 09:37:25 |
graziano obertelli |
eucalyptus: status |
New |
Fix Released |
|