[Openstack-security] [Bug 1656076] [NEW] The keystone server auth pluigin methods could mismatch user_id in auth_context

Morgan Fainberg morgan.fainberg at gmail.com
Thu Jan 12 19:16:38 UTC 2017 

*** This bug is a security vulnerability ***

Public security bug reported:

The keystone server blindly overwrites the auth_context.user_id in each
auth method that is run. This means that the last auth_method that is
run for a given authentication request dictates the user_id.

While this is not exploitable externally without misconfiguration of the
external plugin methods and supporting services, this is a bad state
that could relatively easily result in someone ending up authenticated
with the wrong user_id.

The simplest fix will be to have the for loop in the authentication
controller (that iterates over the methods) to verify the user_id does
not change between auth_methods executed.

https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

This has been marked as public security for hardening purposes, likely a
"Class D" https://security.openstack.org/vmt-process.html#incident-
report-taxonomy

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: authentication security

** Tags added: authentication security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1656076

Title:
  The keystone server auth pluigin methods could mismatch user_id in
  auth_context

Status in OpenStack Identity (keystone):
  New

Bug description:
  The keystone server blindly overwrites the auth_context.user_id in
  each auth method that is run. This means that the last auth_method
  that is run for a given authentication request dictates the user_id.

  While this is not exploitable externally without misconfiguration of
  the external plugin methods and supporting services, this is a bad
  state that could relatively easily result in someone ending up
  authenticated with the wrong user_id.

  The simplest fix will be to have the for loop in the authentication
  controller (that iterates over the methods) to verify the user_id does
  not change between auth_methods executed.

  https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557

  This has been marked as public security for hardening purposes, likely
  a "Class D" https://security.openstack.org/vmt-process.html#incident-
  report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions

More information about the Openstack-security mailing list