[OSSA 2013-018] Failing SSL cert check in Glance python client

The fix being public, this bug should be public too.

Thomas: did you check if the other clients were similarly affected ?

Could you describe the scenario exploiting this vulnerability ? You mention on the commit message: "Currently, accessing a host via ip address will pass SSL verification" -- so exploiting this requires enticing the user to use an IP address as the Glance endpoint, in addition to the MiM setup ?

Currently, commands like the following will pass verification

    glance -A XXX -U https://206.164.176.31:443 index

and it shouldn't! From looking in the code, it's obvious that the expected behavior should be to call host_matches_cert. But this call is being bypassed entirely by the mishandling of the preverify_ok int as a bool.

@Thomas:
* is usage of direct IP address the only way to stumble on this vulnerability ? Or do you see other cases where this needed verification is bypassed ?
* did you already check other OpenStack python-PROJECTclient codebases for the existence of a similar issue ?

@Thierry:
* no, currently it will never check the hostname against the certificate so any incorrect hostname (with a 'valid' cert) will pass
* I know that python-swiftclient currently does not do any form of SSL validation but I have not check the other clients. I will do so in the next few days

All the other python-*clients (with the exception of swiftclient mentioned above) use alternative libraries to provide SSL support and therefore are not affected by this bug.

Proposed impact description:

-----------
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: Glance
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Glance client request (or response).
------------

Thierry's proposed impact description in comment #7 looks good to me.

Impact description in comment 7 looks good to me.

Will file swiftclient issue in another bug. Requested CVE with s/Products: Glance/Products: python-glance-client/ in description

swiftclient issue is now bug 1199783

Reviewed: https://review.openstack.org/33464
Committed: http://github.com/openstack/python-glanceclient/commit/822cd64c0718b46a065abbb8709f6b466d12e708
Submitter: Jenkins
Branch: master

commit 822cd64c0718b46a065abbb8709f6b466d12e708
Author: Thomas Leaman <email address hidden>
Date: Tue Jun 18 15:34:45 2013 +0000

    Fix SSL certificate CNAME checking

    Currently, accessing a host via ip address will pass SSL verification;
    the CNAME is not checked as intended as part of verify_callback.

    'preverify_ok is True' will always return false (int/bool comparison).
    preverify_ok will be 1 if preverification has passed.

    Fixes bug 1192229

    Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f

Sent to downstream stakeholders

Hi. Here's the patch which I backported to version 0.9.0, and which I have just uploaded to Debian Sid.

OSSA 2013-018