[Openstack-security] [Bug 1446406] Re: Insecure signing_dir configuration in barbican-api-paste.ini

OpenStack Infra 1446406 at bugs.launchpad.net
Mon Apr 27 08:58:55 UTC 2015 

Reviewed:  https://review.openstack.org/177378
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=46184bb4b3a81e503a9e4aff4ba9ea0a66061a16
Submitter: Jenkins
Branch:    stable/kilo

commit 46184bb4b3a81e503a9e4aff4ba9ea0a66061a16
Author: Charles Neill <charles.neill at rackspace.com>
Date:   Tue Apr 21 15:49:20 2015 -0500

    Removing signing_dir directive from config
    
    The signing_dir directive defined in barbican-api-paste.ini explicitly
    stores Keystone's signing certificates in a known /tmp directory. This
    could be exploited by populating the directory with bogus certificates,
    potentially allowing a malicious user to generate valid tokens.
    
    Added comment explaining signing_dir, and a reasonable
    (commented) default.
    
    Change-Id: I15fda6863e888e3881694ab47a836eee2fb578ee
    Closes-Bug: #1446406


** Changed in: barbican/kilo
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1446406

Title:
  Insecure signing_dir configuration in barbican-api-paste.ini

Status in OpenStack Key Management (Barbican):
  Fix Committed
Status in Barbican kilo series:
  Fix Committed

Bug description:
  It appears that Barbican sets signing_dir to "/tmp/barbican/cache" in
  etc/barbican/barbican-api-paste.ini (Reference:
  https://github.com/openstack/barbican/blob/master/etc/barbican
  /barbican-api-paste.ini#L42)

  A Nova bug from 2013 (https://bugs.launchpad.net/nova/+bug/1174608) mentions that they had the same basic issue, and it's a security issue because:
  "This means that if an attacker populated the /tmp/keystone-signing-nova
  with the appropriate files for signautre verification they could potentially
  issue forged tokens which would be validated by the middleware. As:
      - The directory location deterministic. (default for glance, nova)
      - *If the directory already exists it is reused*"

  This Nova bug was issued CVE-2013-2030: http://www.cve.mitre.org/cgi-
  bin/cvename.cgi?name=2013-2030

  This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode:
  2015-03-23 16:59:15 zigo_   I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix.
  2015-03-23 16:59:28 zigo_   The signing_dir directive should never be set to /tmp like this.
  2015-03-23 16:59:33 zigo_   Best is to simply remove the directive.
  2015-03-23 16:59:57 zigo_   I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :)

  zigo's suggested fix was to remove the directive. It appears Cinder
  has taken this approach for their project
  (https://bugs.launchpad.net/cinder/+bug/1185098)

To manage notifications about this bug go to:
https://bugs.launchpad.net/barbican/+bug/1446406/+subscriptions

More information about the Openstack-security mailing list