[openstack-dev] [OSSG][OSSN] Authenticated users are able to update passwords without providing their current password

Nathan Kinder nkinder at redhat.com
Fri Nov 22 22:10:21 UTC 2013

Hash: SHA1

Authenticated users are able to update passwords without providing
their current password
- ---

### Summary ###
An authenticated user is able to change their password without
providing their current password. This allows compromised
authentication tokens to be used to permanently compromise a user account.

### Affected Services / Software ###
Horizon, Keystone, Identity, Grizzly

### Discussion ###
Horizon allows a user to change their own password, which uses the
Identity API to perform the password change. A user is required to
supply their current password to successfully perform a password
change. This requirement prevents a malicious user from stealing a
user's authentication token and changing that user's password to
permanently compromise their account. With this additional password
check, a compromised authentication token only compromises the user
account until the token is no longer valid due to expiration or

When using the Identity v3 API, a user is able to successfully change
their password without supplying the correct current password. This
leaves users vulnerable to permanently compromised accounts if their
authentication token is compromised. The Identity v2 API is not
vulnerable to this issue, as it has a separate API call for updating
user passwords that properly validates the current password.

### Recommended Actions ###
In the OpenStack Grizzly release, a user is allowed to update the
attributes in their own entry by default. It is recommended that you
restrict user updates to only be allowed by admin users. This is done
by setting the "update_user" policy to "admin_required" in Keystone's
policy.json file. Here is an example snippet of a properly configured
policy.json file:

- ---- begin example policy.json snippet ----
    "identity:get_user": [["rule:admin_required"]],
    "identity:list_users": [["rule:admin_required"]],
    "identity:create_user": [["rule:admin_required"]],
    "identity:update_user": [["rule:admin_required"]],
    "identity:delete_user": [["rule:admin_required"]],
- ---- end example policy.json snippet ----

This change has the side-effect of restricting a user from updating
any of their own attributes, not just their password.

In the OpenStack Havana release, the default policy is to only allow
admin users to update attributes in user entries. In addition, Horizon
will not allow a user to change their own password if it is using the
Identity v3 API, even if Keystone is configured to allow users to
update their own entries. Despite this restriction in Horizon, it is
recommended to leave the default "update_user" policy setting as is,
as an attacker could target Keystone directly without using Horizon to
initiate a password change.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1237989
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1237989
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: CVE-2013-4471
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the OpenStack-dev mailing list