Open Stack

Authenticated users are able to update passwords without providing their current password
---

### Summary ###
An authenticated user is able to change their password without providing their current password. This allows compromised authentication tokens to be used to permanently compromise a user account.

### Affected Services / Software ###
Horizon, Keystone, Identity, Grizzly

### Discussion ###
Horizon allows a user to change their own password, which uses the Identity API to perform the password change. A user is required to supply their current password to successfully perform a password change. This requirement prevents a malicious user from stealing a user's authentication token and changing that user's password to permanently compromise their account. With this additional password check, a compromised authentication token only compromises the user account until the token is no longer valid due to expiration or revocation.

When using the Identity v3 API, a user is able to successfully change
their password without supplying the correct current password. This
leaves users vulnerable to permanently compromised accounts if their
authentication token is compromised. The Identity v2 API is not
vulnerable to this issue, as it has a separate API call for updating
user passwords that properly validates the current password.

### Recommended Actions ###
In the OpenStack Grizzly release, a user is allowed to update the attributes in their own entry by default. It is recommended that you restrict user updates to only be allowed by admin users. This is done by setting the "update_user" policy to "admin_required" in Keystone's policy.json file. Here is an example snippet of a properly configured policy.json file:

---- begin example policy.json snippet ----
    "identity:get_user": [["rule:admin_required"]],
    "identity:list_users": [["rule:admin_required"]],
    "identity:create_user": [["rule:admin_required"]],
    "identity:update_user": [["rule:admin_required"]],
    "identity:delete_user": [["rule:admin_required"]],
---- end example policy.json snippet ----

This change has the side-effect of restricting a user from updating any
of their own attributes, not just their password.

In the OpenStack Havana release, the default policy is to only allow
admin users to update attributes in user entries. In addition, Horizon
will not allow a user to change their own password if it is using the
Identity v3 API, even if Keystone is configured to allow users to update
their own entries. Despite this restriction in Horizon, it is
recommended to leave the default "update_user" policy setting as is, as
an attacker could target Keystone directly without using Horizon to
initiate a password change.

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1237989
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1237989
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: CVE-2013-4471

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1237989

Title:
  user can update his password without knowing the old password

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Notes:
  In Progress

Bug description:
  a user logged into horizon can change his password without needing to
  type in the correct old password. It's just required to type in
  anything as the old password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1237989/+subscriptions