[Openstack-security] [Bug 1300274] Re: V3 Authentication Chaining - uniqueness of auth method names
Florent Flament
florent.flament-ext at cloudwatt.com
Wed Apr 2 13:24:26 UTC 2014
@Thierry, the difference that I see between many authentication requests
versus one request with many authentication methods, is that in the
first case an operator may limit the rate at which requests are
processed, but it's more difficult to protect Keystone against few
requests triggering many authentication trials.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1300274
Title:
V3 Authentication Chaining - uniqueness of auth method names
Status in OpenStack Identity (Keystone):
In Progress
Status in OpenStack Security Advisories:
Incomplete
Bug description:
In V3.0 API, we can chain authentication methods. An attacker can
place the same authentication method multiple times in the methods
filed. This will result in the same authentication method checking
over and over (for loop in code). Using this, an attacker can achieve
some sorts of Denial of Service. The methods field is not properly
sanitized.
{
"auth":{
"identity":{
"methods":[
"password",
"password",
"password",
"password",
"password"
],
"password":{
"user":{
"domain":{
"id":"default"
},
"name":"demo",
"password":"stack"
}
}
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions
More information about the Openstack-security
mailing list