[Openstack-security] [Bug 1795800] Re: Timing oracle in core auth plugin simplifies brute-forcing usernames

OpenStack Infra 1795800 at bugs.launchpad.net
Mon Dec 17 19:53:41 UTC 2018 

Fix proposed to branch: master
Review: https://review.openstack.org/625699

** Changed in: keystone
       Status: Triaged => In Progress

** Changed in: keystone
     Assignee: (unassigned) => Gage Hugo (gagehugo)

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1795800

Title:
  Timing oracle in core auth plugin simplifies brute-forcing usernames

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The response times for POST /v3/auth/tokens are significantly higher
  for valid usernames compared to those of invalid ones, making it
  possible to enumerate users on the system.

  Examples:

  # For invalid username
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 141
  Content-Type: application/json

  {  
     "auth":{  
        "identity":{  
           "methods":[  
              "password"
           ],
           "password":{  
              "user":{  
                 "name":"nonexisting",
                 "domain":{  
                    "name":"Default"
                 },
                 "password":"devstacker"
              }
           }
        }
     }
  }

  + Response Time: <150ms

  # For valid username ('admin' in this case)
  + Request
  POST /v3/auth/tokens HTTP/1.1
  Host: hostname:5000
  Connection: close
  Content-Length: 139
  Content-Type: application/json

  {  
     "auth":{  
        "identity":{  
           "methods":[  
              "password"
           ],
           "password":{  
              "user":{  
                 "name":"admin",
                 "domain":{  
                    "name":"Default"
                 },
                 "password":"devstacker"
              }
           }
        }
     }
  }

  + Response time: >600ms

  # Tested version
  v3.8

  [UPDATE 3 Oct 2018 5:01 AEST]
  Looks like it's also possible to enumerate for valid "domain" too. There're 2 ways that I can see:
  * With valid username: use the above user enum bug to guess the valid username, then brute the "domain" parameter. Response times are significantly higher for valid compared to invalid domains.
  * Without valid username: get a baseline response time using invalid username AND invalid domain name. Bruteforce the "domain" param until the response time hits an average high. For me invalid domain falls in the 90-100ms range whereas valid ones show 100+ms. This one looks a bit more obscure i.e. timing difference is not as distinguishable, but should still be recognizable with a good sample size.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1795800/+subscriptions

More information about the Openstack-security mailing list