[Openstack-security] [Bug 1840288] Re: Trusts GET API leaks existence information to unauthorized users

Adam Young 1840288 at bugs.launchpad.net
Fri Aug 16 19:07:33 UTC 2019 

There is nothing in the trust ID itself that indicates anything about
the users, the roles, or the projects in the trust.  As such, they are
exactly the equivalent to a role-assignment ID:  You know that something
exists, but you do not know anything about it.

Trusts are supposed to be public in much the same way that a role
assignment is public:  if you know the trustor and trustee users, and
the project involved, and the role, all the trust ID tells you is the
pointer to the record that links that information together.  It must be
used in conjunction with an actual secret in order to get a token.  The
only information that should be considered secret is the credential used
by the user to confirm their identity.

This bug is invalid.

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1840288

Title:
  Trusts GET API leaks existence information to unauthorized users

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The current implementation of the GET /v3/OS-TRUST/trusts/{trust_id}
  API leaks information about the existence of a trust to unauthorized
  users.

  If an authenticated user requests a trust that either does not exist
  or has no remaining uses, the returned response is a 404 regardless of
  whether the user is an admin or a trustor/trustee of the hypothetical
  (e.g. soft-deleted or used-up) trust. If the trust does exist but the
  user has no access to it, the returned response is a 403. If an
  attacker had some reasonable way of guessing or brute-forcing the UUID
  of a trust, they could use this leak to confirm its existence. A valid
  trust ID can then be used as part of a token request in combination
  with the trustee's credentials.

  The issue is here:

  https://opendev.org/openstack/keystone/src/commit/5beddfaddbb4c59d7a24fa1d7ff534da4c69ddc5/keystone/api/trusts.py#L149-L150

  The current "identity:get_trust" default policy rule is "" which is
  all-permissive, and authorization is hardcoded in the trust controller
  code. To enforce the "only the trustor or trustee can GET this" rule,
  it does a lookup of the trust and doesn't catch a NotFound, thereby
  leaking it directly back to the requester.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1840288/+subscriptions

More information about the Openstack-security mailing list