[Openstack-security] [Bug 1786646] Re: Domain Existence Leaking without authentication
Jeremy Stanley
fungi at yuggoth.org
Mon Apr 27 21:53:23 UTC 2020
As there seems to be some consensus, I've gone ahead and switched this
bug to public, marking our security advisory task Won't Fix. I'll leave
it to the Keystone maintainers to do the same with theirs.
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2020-05-27 and will be made
- public by or on that date if no fix is identified.
-
The Domain Configuration subsystem, specifically PATCH
/domains/{domain_id}/config/{group} appears to leak data before
enforcement. The method called from the routed path[0] performs a
"domain exists" check[1] before sending to the 'update_domain_config'
method [2] which is behind the @protected decorator.
This has the potential to be used to verify existence of domains by ID
without authentication. This is in-fact a data leak. However, since
domains (outside of "default" and the keystone-root domain) are uuids,
this is likely a C1 classification in the VMT Taxonomy [3] (Useful if an
attacker is guessing UUIDs). The only case where this is more
significant is that it can be used to determine if the default domain is
enabled/configured; the usefulness of such data is relatively suspect
and unlikely to be meaningful.
However, with all that said, since this is a potential security flaw,
the bug has been marked private security.
[0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
[1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
[2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
[3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1786646
Title:
Domain Existence Leaking without authentication
Status in OpenStack Identity (keystone):
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The Domain Configuration subsystem, specifically PATCH
/domains/{domain_id}/config/{group} appears to leak data before
enforcement. The method called from the routed path[0] performs a
"domain exists" check[1] before sending to the 'update_domain_config'
method [2] which is behind the @protected decorator.
This has the potential to be used to verify existence of domains by ID
without authentication. This is in-fact a data leak. However, since
domains (outside of "default" and the keystone-root domain) are uuids,
this is likely a C1 classification in the VMT Taxonomy [3] (Useful if
an attacker is guessing UUIDs). The only case where this is more
significant is that it can be used to determine if the default domain
is enabled/configured; the usefulness of such data is relatively
suspect and unlikely to be meaningful.
However, with all that said, since this is a potential security flaw,
the bug has been marked private security.
[0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
[1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
[2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
[3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions
More information about the Openstack-security
mailing list