From 1876709 at bugs.launchpad.net Mon May 4 11:26:21 2020 From: 1876709 at bugs.launchpad.net (Abhishek Mahajan) Date: Mon, 04 May 2020 11:26:21 -0000 Subject: [Openstack-security] [Bug 1876709] [NEW] Found a new bug Message-ID: <158859158138.4932.7770706656353604866.malonedeb@soybean.canonical.com> Public bug reported: xyz file is missing. ** Affects: openstack-dev-sandbox Importance: Undecided Status: New ** Tags: security -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1876709 Title: Found a new bug Status in openstack-dev-sandbox: New Bug description: xyz file is missing. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-dev-sandbox/+bug/1876709/+subscriptions From mark at stackhpc.com Tue May 5 10:26:21 2020 From: mark at stackhpc.com (Mark Goddard) Date: Tue, 05 May 2020 10:26:21 -0000 Subject: [Openstack-security] [Bug 1865840] Re: service-rabbitmq logs password in cleartext References: <158322346711.26276.6474994292213643749.malonedeb@gac.canonical.com> Message-ID: <158867438324.5250.12993289484241326020.launchpad@chaenomeles.canonical.com> ** Changed in: kolla-ansible/train Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1865840 Title: service-rabbitmq logs password in cleartext Status in kolla-ansible: Fix Released Status in kolla-ansible train series: Fix Released Status in kolla-ansible ussuri series: Fix Released Bug description: service-rabbitmq logs password in cleartext To manage notifications about this bug go to: https://bugs.launchpad.net/kolla-ansible/+bug/1865840/+subscriptions From gouthampravi at gmail.com Wed May 6 15:53:50 2020 From: gouthampravi at gmail.com (Goutham Pacha Ravi) Date: Wed, 06 May 2020 15:53:50 -0000 Subject: [Openstack-security] [Bug 1700501] Re: Insecure rootwrap usage References: <149847400077.21285.859787175293982985.malonedeb@soybean.canonical.com> Message-ID: <158878043083.12738.4188434903303995973.malone@gac.canonical.com> In Manila, we've discussed migrating off of rootwrap, to privsep - and are yet to find an owner to complete that work. We'll hopefully do that soon. However, I agree this bug is wide open. We'll use a different tracker to call out the tasks to deprecate the usage of rootwrap. ** Changed in: manila Status: Incomplete => Invalid -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1700501 Title: Insecure rootwrap usage Status in Cinder: New Status in OpenStack Shared File Systems Service (Manila): Invalid Status in OpenStack Compute (nova): Incomplete Status in OpenStack Security Advisory: Won't Fix Bug description: Reported by Benjamin Deuter of SUSE: Some rootwrap filters are too permissive and allow privilege escalation from service user, as explained here: https://security.openstack.org/guidelines/dg_use-oslo-rootwrap- securely.html#incorrect For example this shouldn't be authorized: sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions From fungi at yuggoth.org Wed May 6 22:47:06 2020 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 06 May 2020 22:47:06 -0000 Subject: [Openstack-security] [Bug 1872755] Re: ec2 credential "trust_id" can be updated to null References: <158687949271.6128.17061225762437950272.malonedeb@chaenomeles.canonical.com> Message-ID: <158880522698.4693.14421413464634447404.malone@soybean.canonical.com> I've set our advisory task to Won't Fix on this one, as no advisory is required with the fix for bug 1872735 effectively preventing the path to exploitation. ** Tags added: security ** Information type changed from Public Security to Public ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{   "credential": {     "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"   } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions From 1872755 at bugs.launchpad.net Thu May 7 06:32:51 2020 From: 1872755 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 07 May 2020 06:32:51 -0000 Subject: [Openstack-security] [Bug 1872755] Fix proposed to keystone (stable/pike) References: <158687949271.6128.17061225762437950272.malonedeb@chaenomeles.canonical.com> Message-ID: <158883317160.11824.643123748028053101.malone@wampee.canonical.com> Fix proposed to branch: stable/pike Review: https://review.opendev.org/726046 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{   "credential": {     "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"   } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions From 1872755 at bugs.launchpad.net Thu May 7 19:53:05 2020 From: 1872755 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 07 May 2020 19:53:05 -0000 Subject: [Openstack-security] [Bug 1872755] Re: ec2 credential "trust_id" can be updated to null References: <158687949271.6128.17061225762437950272.malonedeb@chaenomeles.canonical.com> Message-ID: <158888118606.3922.5975378010289351202.malone@chaenomeles.canonical.com> Reviewed: https://review.opendev.org/725888 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2f2736ebb267c757ad77fcf25ee0aaeefab2a09d Submitter: Zuul Branch: stable/ussuri commit 2f2736ebb267c757ad77fcf25ee0aaeefab2a09d Author: Colleen Murphy Date: Tue Apr 14 16:47:44 2020 -0700 Fix security issues with EC2 credentials This change addresses several issues in the creation and use of EC2/S3 credentials with keystone tokens. 1. Disable altering credential owner attributes or metadata Without this patch, an authenticated user can create an EC2 credential for themself for a project they have a role on, then update the credential to target a user and project completely unrelated to them. In the worst case, this could be the admin user and a project the admin user has a role assignment on. A token granted for an altered credential like this would allow the user to masquerade as the victim user. This patch ensures that when updating a credential, the new form of the credential is one the acting user has access to: if the system admin user is changing the credential, the new user ID or project ID could be anything, but regular users may only change the credential to be one that they still own. Relatedly, when a user uses an application credential or a trust to create an EC2 credential, keystone automatically adds the trust ID or application credential ID as metadata in the EC2 access blob so that it knows how the token can be scoped when it is used. Without this patch, a user who has created a credential in this way can update the access blob to remove or alter this metadata and escalate their privileges to be fully authorized for the trustor's, application credential creator's, or OAuth1 access token authorizor's privileges on the project. This patch fixes the issue by simply disallowing updates to keystone-controlled metadata in the credential. 2. Respect token roles when creating EC2 credentials Without this patch, a trustee, an application credential user, or an OAuth1 access token holder could create an EC2 credential or an application credential using any roles the trustor, application credential creator, or access token authorizor had on the project, regardless of whether the creator had delegated only a limited subset of roles. This was because the trust_id attribute of the EC2 access blob was ignored, and no metadata for the application credential or access token was recorded either. This change ensures that the access delegation resource is recorded in the metadata of the EC2 credential when created and passed to the token provider when used for authentication so that the token provider can look up the correct roles for the request. Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d Closes-bug: #1872733 Closes-bug: #1872755 Closes-bug: #1872735 (cherry picked from commit 37e9907a176dad6843819b1bec4946c3aecc4548) ** Tags added: in-stable-ussuri -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): In Progress Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{   "credential": {     "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"   } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions From 1876709 at bugs.launchpad.net Fri May 8 03:58:44 2020 From: 1876709 at bugs.launchpad.net (Triveni Gurram) Date: Fri, 08 May 2020 03:58:44 -0000 Subject: [Openstack-security] [Bug 1876709] Re: Found a new bug References: <158859158138.4932.7770706656353604866.malonedeb@soybean.canonical.com> Message-ID: <158891032574.13599.6465577044325379532.launchpad@gac.canonical.com> ** Changed in: openstack-dev-sandbox Assignee: (unassigned) => Triveni Gurram (triveni12) -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1876709 Title: Found a new bug Status in openstack-dev-sandbox: New Bug description: xyz file is missing. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-dev-sandbox/+bug/1876709/+subscriptions From 1876709 at bugs.launchpad.net Fri May 8 07:06:31 2020 From: 1876709 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 08 May 2020 07:06:31 -0000 Subject: [Openstack-security] [Bug 1876709] Re: Found a new bug References: <158859158138.4932.7770706656353604866.malonedeb@soybean.canonical.com> Message-ID: <158892159200.12655.13706045410398445640.malone@gac.canonical.com> Fix proposed to branch: master Review: https://review.opendev.org/726292 ** Changed in: openstack-dev-sandbox Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1876709 Title: Found a new bug Status in openstack-dev-sandbox: In Progress Bug description: xyz file is missing. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-dev-sandbox/+bug/1876709/+subscriptions From 1872755 at bugs.launchpad.net Fri May 8 16:15:01 2020 From: 1872755 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 08 May 2020 16:15:01 -0000 Subject: [Openstack-security] [Bug 1872755] Re: ec2 credential "trust_id" can be updated to null References: <158687949271.6128.17061225762437950272.malonedeb@chaenomeles.canonical.com> Message-ID: <158895450147.13388.16356830160527875306.malone@gac.canonical.com> Reviewed: https://review.opendev.org/725886 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=37e9907a176dad6843819b1bec4946c3aecc4548 Submitter: Zuul Branch: master commit 37e9907a176dad6843819b1bec4946c3aecc4548 Author: Colleen Murphy Date: Tue Apr 14 16:47:44 2020 -0700 Fix security issues with EC2 credentials This change addresses several issues in the creation and use of EC2/S3 credentials with keystone tokens. 1. Disable altering credential owner attributes or metadata Without this patch, an authenticated user can create an EC2 credential for themself for a project they have a role on, then update the credential to target a user and project completely unrelated to them. In the worst case, this could be the admin user and a project the admin user has a role assignment on. A token granted for an altered credential like this would allow the user to masquerade as the victim user. This patch ensures that when updating a credential, the new form of the credential is one the acting user has access to: if the system admin user is changing the credential, the new user ID or project ID could be anything, but regular users may only change the credential to be one that they still own. Relatedly, when a user uses an application credential or a trust to create an EC2 credential, keystone automatically adds the trust ID or application credential ID as metadata in the EC2 access blob so that it knows how the token can be scoped when it is used. Without this patch, a user who has created a credential in this way can update the access blob to remove or alter this metadata and escalate their privileges to be fully authorized for the trustor's, application credential creator's, or OAuth1 access token authorizor's privileges on the project. This patch fixes the issue by simply disallowing updates to keystone-controlled metadata in the credential. 2. Respect token roles when creating EC2 credentials Without this patch, a trustee, an application credential user, or an OAuth1 access token holder could create an EC2 credential or an application credential using any roles the trustor, application credential creator, or access token authorizor had on the project, regardless of whether the creator had delegated only a limited subset of roles. This was because the trust_id attribute of the EC2 access blob was ignored, and no metadata for the application credential or access token was recorded either. This change ensures that the access delegation resource is recorded in the metadata of the EC2 credential when created and passed to the token provider when used for authentication so that the token provider can look up the correct roles for the request. Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d Closes-bug: #1872733 Closes-bug: #1872755 Closes-bug: #1872735 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{   "credential": {     "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"   } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions From 1872755 at bugs.launchpad.net Fri May 8 16:22:59 2020 From: 1872755 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 08 May 2020 16:22:59 -0000 Subject: [Openstack-security] [Bug 1872755] Fix proposed to keystone (stable/queens) References: <158687949271.6128.17061225762437950272.malonedeb@chaenomeles.canonical.com> Message-ID: <158895497994.12815.13360652918184867078.malone@gac.canonical.com> Fix proposed to branch: stable/queens Review: https://review.opendev.org/726435 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1872755 Title: ec2 credential "trust_id" can be updated to null Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials were created within a trust_id scope, it is still possible to set these credentials' "trust_id" to "null" using: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{   "credential": {     "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"   } }' Note "null" in blob. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions