[OSSA 2013-017] Memcache encryption middleware improperly implemented (CVE-2013-2166)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
Low
|
Thierry Carrez | ||
python-keystoneclient |
Fix Released
|
Medium
|
Thierry Carrez |
Bug Description
The memcache encryption middleware in python-
When the 'ENCRYPT' security strategy is used, it encrypts the data with raw AES, which provides no authentication properties. This means that an attacker can modify the ciphertext freely, changing the values which are decoded by the client. In most cases, this will produce garbage in one or more blocks of the decrypted text. By inspecting the behavior of the system after modification of the ciphertext, an attacker may be able to decode some or all of the encrypted message. Even if the attacker cannot decode the message, they can corrupt what should be trusted values used by the system.
Furthermore, because the decryption relies on an optional prefix when deciding whether or not to decrypt data, an attacker can simply omit the prefix to inject arbitrary data which is trusted by the client.
The encryption routine should properly sign the encrypted blob before storing it in the cache, and verify the integrity of the signature before decrypting the blob. When using the ENCRYPT security strategy, the system should reject all values which are not properly signed and encrypted.
The key derivation function should produce different values based on the security strategy, such that a key from the MAC security strategy will not validate when ENCRYPT is selected, and the reverse. More details on proper key derivation functions are available in NIST Special Publication 800-108.
As currently written, this feature provides minimal security benefits. I will be proposing a patch later today to fix the issues outlined above. I plan to fix this issue in a forwards-compatible way, with the side effect of invalidating existing ephemeral cache values for users who have enabled this feature. This should have a CVE. I'm ok with marking this bug as public given the minimal potential for exploitation (an attacker needs access to the memcache instance, which should never happen in a proper deployment) and the assumed low usage rate of this feature.
CVE References
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
importance: | Undecided → Low |
status: | New → Triaged |
summary: |
- Memcache encryption middleware improperly implemented + Memcache encryption middleware improperly implemented (CVE-2013-2166) |
information type: | Private Security → Public Security |
summary: |
- Memcache encryption middleware improperly implemented (CVE-2013-2166) + [OSSA 2013-017] Memcache encryption middleware improperly implemented + (CVE-2013-2166) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in python-keystoneclient: | |
milestone: | none → 0.3.0 |
status: | Fix Committed → Fix Released |
This patch is untested, but I believe it to be a mostly complete implementation of the fix.
The unittests obviously need to be updated to match this.