search

termie / nova-migration-demo

Nova is a cloud computing fabric controller (the main part of an IaaS system). It is written in Python.
http://openstack.org/projects/compute/
Apache License 2.0
2 stars 0 forks source link

OpenStack API authentication information leakage #93

Closed termie closed 13 years ago

termie commented 13 years ago

When logging in using the OpenStack API, I should get the same error (401?) if my credentials are wrong no matter what.

However, if I use the password of anyone in the system, I get a 401. If my password does not match anyone in the system, then I get a 500. Obvious birthday-paradox attack.

Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.

Imported from Launchpad using lp2gh.

termie commented 13 years ago

(by ttx) Nice catch. None of the linked branches directly address this bug, right ? In which case maybe those should be unlinked to avoid giving the impression this is already being addressed ?

termie commented 13 years ago

(by justin-fathomdb) Sorry - the branches test for the issue, but they don't currently try to fix it. I'm staying away from making any more auth changes, not least because I've already fixed this bug once!

There are some pretty decent tests in test-openstack-login for the issue though, they're just commented out. The branches are "Related" but I'm not working on the issue at the moment.

termie commented 13 years ago

(by donal-lafferty) It's a security flaw, but it's not to do with the birthday-paradox. The birthday-paradox attack is used in the context of hash collisions, which I verified with a colleague in security. The vulnerability below simplifies a brute force attack.

DL

-----Original Message----- From: bounces@canonical.com [mailto:bounces@canonical.com] On Behalf Of justinsb Sent: 10 March 2011 21:24 To: Donal Lafferty Subject: [Bug 732866] [NEW] OpenStack API authentication information leakage

Public bug reported:

When logging in using the OpenStack API, I should get the same error (401?) if my credentials are wrong no matter what.

However, if I use the password of anyone in the system, I get a 401. If my password does not match anyone in the system, then I get a 500. Obvious birthday-paradox attack.

Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.

\ Affects: nova Importance: Undecided Status: New

You received this bug notification because you are subscribed to OpenStack. https://bugs.launchpad.net/bugs/732866

Title: OpenStack API authentication information leakage

Status in OpenStack Compute (Nova): New

Bug description: When logging in using the OpenStack API, I should get the same error (401?) if my credentials are wrong no matter what.

However, if I use the password of anyone in the system, I get a 401. If my password does not match anyone in the system, then I get a 500. Obvious birthday-paradox attack.

Thankfully the OpenStack API isn't released yet, so not classifying this as a vulnerability.

termie commented 13 years ago

(by justin-fathomdb) On reflection, I think you're probably right, it's not the birthday paradox. I was trying to communicate the idea that because the password is checked against every password in the system (not just the user's password), as the number of users/passwords in the system increases, the ease with which we can discover passwords increases.

I think we're all agreed it should be fixed!

And maybe in the future we can persuade you & your colleague to have a look at the authentication code, when the 'real' authn system is implemented :-)