[0SSA 2014-013] V3 Authentication Chaining - uniqueness of auth method names (CVE-2014-2828)

Bug #1300274 reported by Abu Shohel Ahmed
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Florent Flament
Havana
Fix Released
High
Florent Flament
OpenStack Security Advisory
Fix Released
Medium
Unassigned

Bug Description

In V3.0 API, we can chain authentication methods. An attacker can place the same authentication method multiple times in the methods filed. This will result in the same authentication method checking over and over (for loop in code). Using this, an attacker can achieve some sorts of Denial of Service. The methods field is not properly sanitized.

{
   "auth":{
      "identity":{
         "methods":[
            "password",
            "password",
             "password",
             "password",
             "password"
         ],
        "password":{
            "user":{
               "domain":{
                  "id":"default"
               },
               "name":"demo",
               "password":"stack"
            }
         }
      }
   }
}

Tags: security
Dolph Mathews (dolph)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
tags: added: havana-backport-potential
tags: added: icehouse-backport-potential
Changed in keystone:
assignee: nobody → Florent Flament (florent-flament-ext)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/84425

Changed in keystone:
status: Triaged → In Progress
Dolph Mathews (dolph)
tags: added: icehouse-rc-potential
removed: icehouse-backport-potential
Grant Murphy (gmurphy)
information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote : Re: V3 Authentication Chaining - uniqueness of auth method names

Not totally convinced this is different from placing normal activity on the server...

Changed in ossa:
status: New → Incomplete
Revision history for this message
Florent Flament (florentflament) wrote :

@Thierry, the difference that I see between many authentication requests versus one request with many authentication methods, is that in the first case an operator may limit the rate at which requests are processed, but it's more difficult to protect Keystone against few requests triggering many authentication trials.

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-rc2
tags: removed: icehouse-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/84735

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/84425
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c
Submitter: Jenkins
Branch: master

commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c
Author: Florent Flament <email address hidden>
Date: Tue Apr 1 12:48:22 2014 +0000

    Sanitizes authentication methods received in requests.

    When a user authenticates against Identity V3 API, he can specify
    multiple authentication methods. This patch removes duplicates, which
    could have been used to achieve DoS attacks.

    Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d
    Closes-Bug: 1300274

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/84735
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ce6cedb30c5c4b4cf4db9380f09443de22414b39
Submitter: Jenkins
Branch: milestone-proposed

commit ce6cedb30c5c4b4cf4db9380f09443de22414b39
Author: Florent Flament <email address hidden>
Date: Tue Apr 1 12:48:22 2014 +0000

    Sanitizes authentication methods received in requests.

    When a user authenticates against Identity V3 API, he can specify
    multiple authentication methods. This patch removes duplicates, which
    could have been used to achieve DoS attacks.

    Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d
    Closes-Bug: 1300274

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: V3 Authentication Chaining - uniqueness of auth method names

Impact description draft #1:

Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: 2013.2 versions up to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.

Revision history for this message
Dolph Mathews (dolph) wrote :

I could be mistaken, but I believe 2013.1 would be affected as well. (please correct me if that's not true!)

+1 for the description itself

Revision history for this message
Thierry Carrez (ttx) wrote :

Description: +1 -- please doublecheck affected versions as Dolph said

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/86024

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: V3 Authentication Chaining - uniqueness of auth method names

@Dolph yes you are right, my bad I forget to include it in the affected version line.

I think 9f812939 introduced this bug and "git tag --contains" says it get merged for 2013.1.

Update impact description draft #2:

Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: 2013.1 versions up to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Following our current template in the wiki this would more properly be expressed as...

Versions: from 2013.1 to 2013.2.3

Otherwise Tristan's latest impact description looks great.

Thierry Carrez (ttx)
Changed in ossa:
status: Confirmed → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/havana)

Reviewed: https://review.openstack.org/86024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Submitter: Jenkins
Branch: stable/havana

commit e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Author: Florent Flament <email address hidden>
Date: Tue Apr 1 12:48:22 2014 +0000

    Sanitizes authentication methods received in requests.

    When a user authenticates against Identity V3 API, he can specify
    multiple authentication methods. This patch removes duplicates, which
    could have been used to achieve DoS attacks.

    Closes-Bug: 1300274
    (cherry picked from commit ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c)
    Cherry-pick from https://review.openstack.org/#/c/84425/

    Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab

summary: - V3 Authentication Chaining - uniqueness of auth method names
+ [0SSA 2014-013] V3 Authentication Chaining - uniqueness of auth method
+ names (CVE-2014-2828)
Changed in ossa:
status: Triaged → Fix Released
Alan Pevec (apevec)
tags: removed: havana-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc2 → 2014.1
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.