OpenStack Compute (nova)

OpenStack API authentication information leakage

Bug #732866 reported by justinsb
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Brian Lamar
OpenStack Compute (nova) 2011.2 "cactus"

Bug Description

When logging in using the OpenStack API, I should get the same error (401?) if my credentials are wrong no matter what.

However, if I use the password of _anyone_ in the system, I get a 401. If my password does not match anyone in the system, then I get a 500. Obvious birthday-paradox attack.

Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.

Related branches

lp:~justin-fathomdb/nova/test-openstack-login
Nova Core security contacts: Pending requested
Diff: 1177 lines (+1107/-0) (has conflicts)
12 files modified
nova/api/openstack/accounts.py (+85/-0)
nova/api/openstack/users.py (+93/-0)
nova/db/sqlalchemy/migrate_repo/versions/010_add_os_type_to_instances.py (+51/-0)
nova/db/sqlalchemy/migrate_repo/versions/011_live_migration.py (+83/-0)
nova/tests/api/openstack/test_accounts.py (+125/-0)
nova/tests/api/openstack/test_users.py (+141/-0)
nova/tests/integrated/__init__.py (+20/-0)
nova/tests/integrated/api/__init__.py (+20/-0)
nova/tests/integrated/api/client.py (+213/-0)
nova/tests/integrated/integrated_helpers.py (+188/-0)
nova/tests/integrated/test_login.py (+79/-0)
nova/virt/cpuinfo.xml.template (+9/-0)
lp:~justin-fathomdb/nova/test-openstack-api
Devin Carlen (community): Approve
Cory Wright (community): Approve
Jay Pipes (community): Approve
Diff: 268 lines (+252/-0)
3 files modified
nova/tests/integrated/__init__.py (+20/-0)
nova/tests/integrated/api/__init__.py (+20/-0)
nova/tests/integrated/api/client.py (+212/-0)
lp:~blamar/nova/lp732866
Rick Harris (community): Approve
Jay Pipes (community): Approve
justinsb (community): Approve
Brian Waldon (community): Approve
Diff: 168 lines (+44/-25)
3 files modified
nova/api/openstack/auth.py (+5/-1)
nova/tests/api/openstack/fakes.py (+4/-1)
nova/tests/api/openstack/test_auth.py (+35/-23)
Revision history for this message
Thierry Carrez (ttx) wrote :

Nice catch.
None of the linked branches directly address this bug, right ? In which case maybe those should be unlinked to avoid giving the impression this is already being addressed ?

Changed in nova:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
justinsb (justin-fathomdb) wrote :

Sorry - the branches test for the issue, but they don't currently try to fix it. I'm staying away from making any more auth changes, not least because I've already fixed this bug once!

There are some pretty decent tests in test-openstack-login for the issue though, they're just commented out. The branches are "Related" but I'm not working on the issue at the moment.

Revision history for this message
Donal Lafferty (donal-lafferty) wrote : RE: [Bug 732866] [NEW] OpenStack API authentication information leakage

It's a security flaw, but it's not to do with the birthday-paradox. The birthday-paradox attack is used in the context of hash collisions, which I verified with a colleague in security. The vulnerability below simplifies a brute force attack.

DL

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of justinsb
Sent: 10 March 2011 21:24
To: Donal Lafferty
Subject: [Bug 732866] [NEW] OpenStack API authentication information leakage

Public bug reported:

When logging in using the OpenStack API, I should get the same error
(401?) if my credentials are wrong no matter what.

However, if I use the password of _anyone_ in the system, I get a 401.
If my password does not match anyone in the system, then I get a 500.
Obvious birthday-paradox attack.

Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.

** Affects: nova
     Importance: Undecided
         Status: New

--
You received this bug notification because you are subscribed to OpenStack.
https://bugs.launchpad.net/bugs/732866

Title:
  OpenStack API authentication information leakage

Status in OpenStack Compute (Nova):
  New

Bug description:
  When logging in using the OpenStack API, I should get the same error
  (401?) if my credentials are wrong no matter what.

  However, if I use the password of _anyone_ in the system, I get a 401.
  If my password does not match anyone in the system, then I get a 500.
  Obvious birthday-paradox attack.

  Thankfully the OpenStack API isn't released yet, so not classifying
  this as a vulnerability.

Revision history for this message
justinsb (justin-fathomdb) wrote :

On reflection, I think you're probably right, it's not the birthday paradox. I was trying to communicate the idea that because the password is checked against every password in the system (not just the user's password), as the number of users/passwords in the system increases, the ease with which we can discover passwords increases.

I think we're all agreed it should be fixed!

And maybe in the future we can persuade you & your colleague to have a look at the authentication code, when the 'real' authn system is implemented :-)

Brian Lamar (blamar)
Changed in nova:
assignee: nobody → Brian Lamar (blamar)
Thierry Carrez (ttx)
Changed in nova:
status: Confirmed → In Progress
OpenStack Infra (hudson-openstack)
Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → 2011.2
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.