[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames
Jeremy Stanley
fungi at yuggoth.org
Mon Dec 17 14:22:33 UTC 2018
Note that, unlike what the CVE dispute info suggests, the Keystone team
has not concluded performance degradation would result from possible
methods of reducing the efficacy of this particular oracle. They in fact
indicated that fixes for this hardening opportunity would be welcome
("wishlist" importance, please see Colleen's comment #9).
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800
Title:
Timing oracle in core auth plugin simplifies brute-forcing usernames
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The response times for POST /v3/auth/tokens are significantly higher
for valid usernames compared to those of invalid ones, making it
possible to enumerate users on the system.
Examples:
# For invalid username
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 141
Content-Type: application/json
{"auth":{"identity":{"methods":
["password"],"password":{"user":{"name":
"nonexisting","domain":{"name": "Default"},"password":
"devstacker"}}}}}
+ Response Time: <150ms
# For valid username ('admin' in this case)
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 139
Content-Type: application/json
{"auth":{"identity":{"methods":
["password"],"password":{"user":{"name": "admin","domain":{"name":
"Default"},"password": "devstacker"}}}}}
+ Response time: >600ms
# Tested version
v3.8
[UPDATE 3 Oct 2018 5:01 AEST]
Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
* With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
* Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognisable with a good sample size.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions
More information about the Openstack-security
mailing list