[Openstack-security] [Bug 1300274] Re: V3 Authentication Chaining - uniqueness of auth method names
Tristan Cacqueray
tristan.cacqueray at enovance.com
Mon Apr 7 16:03:39 UTC 2014
Impact description draft #1:
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: 2013.2 versions up to 2013.2.3
Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1300274
Title:
V3 Authentication Chaining - uniqueness of auth method names
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
New
Status in OpenStack Security Advisories:
Confirmed
Bug description:
In V3.0 API, we can chain authentication methods. An attacker can
place the same authentication method multiple times in the methods
filed. This will result in the same authentication method checking
over and over (for loop in code). Using this, an attacker can achieve
some sorts of Denial of Service. The methods field is not properly
sanitized.
{
"auth":{
"identity":{
"methods":[
"password",
"password",
"password",
"password",
"password"
],
"password":{
"user":{
"domain":{
"id":"default"
},
"name":"demo",
"password":"stack"
}
}
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions
More information about the Openstack-security
mailing list