[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames

Jeremy Stanley fungi at yuggoth.org
Mon Dec 17 14:13:54 UTC 2018 

I've updated the bug title to more accurately indicate this is a timing
oracle in Keystone's core auth plugin, and so is still mitigated by the
usual account brute-forcing defenses (e.g., enforcing strong
authentication secrets, temporarily rejecting failing authentication
attempts per source IP address, throttling calls to relevant API
methods, et cetera).

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800

Title:
  Timing oracle in core auth plugin simplifies brute-forcing usernames

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The response times for POST /v3/auth/tokens are significantly higher
  for valid usernames compared to those of invalid ones, making it
  possible to enumerate users on the system.

  Examples:

  # For invalid username
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 141
  Content-Type: application/json

  {"auth":{"identity":{"methods":
  ["password"],"password":{"user":{"name":
  "nonexisting","domain":{"name": "Default"},"password":
  "devstacker"}}}}}

  + Response Time: <150ms

  # For valid username ('admin' in this case)
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 139
  Content-Type: application/json

  {"auth":{"identity":{"methods":
  ["password"],"password":{"user":{"name": "admin","domain":{"name":
  "Default"},"password": "devstacker"}}}}}

  + Response time: >600ms

  # Tested version
  v3.8

  [UPDATE 3 Oct 2018 5:01 AEST]
  Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
  * With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
  * Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognisable with a good sample size.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions

More information about the Openstack-security mailing list