codehaus


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1786646] Re: Domain Existence Leaking without authentication


As there seems to be some consensus, I've gone ahead and switched this
bug to public, marking our security advisory task Won't Fix. I'll leave
it to the Keystone maintainers to do the same with theirs.

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2020-05-27 and will be made
- public by or on that date if no fix is identified.
- 
  The Domain Configuration subsystem, specifically PATCH
  /domains/{domain_id}/config/{group} appears to leak data before
  enforcement. The method called from the routed path[0] performs a
  "domain exists" check[1] before sending to the 'update_domain_config'
  method [2] which is behind the @protected decorator.
  
  This has the potential to be used to verify existence of domains by ID
  without authentication. This is in-fact a data leak. However, since
  domains (outside of "default" and the keystone-root domain) are uuids,
  this is likely a C1 classification in the VMT Taxonomy [3] (Useful if an
  attacker is guessing UUIDs). The only case where this is more
  significant is that it can be used to determine if the default domain is
  enabled/configured; the usefulness of such data is relatively suspect
  and unlikely to be meaningful.
  
  However, with all that said, since this is a potential security flaw,
  the bug has been marked private security.
  
  [0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
  [1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
  [2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
  [3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1786646

Title:
  Domain Existence Leaking without authentication

Status in OpenStack Identity (keystone):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The Domain Configuration subsystem, specifically PATCH
  /domains/{domain_id}/config/{group} appears to leak data before
  enforcement. The method called from the routed path[0] performs a
  "domain exists" check[1] before sending to the 'update_domain_config'
  method [2] which is behind the @protected decorator.

  This has the potential to be used to verify existence of domains by ID
  without authentication. This is in-fact a data leak. However, since
  domains (outside of "default" and the keystone-root domain) are uuids,
  this is likely a C1 classification in the VMT Taxonomy [3] (Useful if
  an attacker is guessing UUIDs). The only case where this is more
  significant is that it can be used to determine if the default domain
  is enabled/configured; the usefulness of such data is relatively
  suspect and unlikely to be meaningful.

  However, with all that said, since this is a potential security flaw,
  the bug has been marked private security.

  [0] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/routers.py#L55
  [1] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L134
  [2] https://github.com/openstack/keystone/blob/c7ae6b798ad4b2164ed6248f1714ec44b27edb7a/keystone/resource/controllers.py#L125-L131
  [3] https://security.openstack.org/vmt-process.html#incident-report-taxonomy

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1786646/+subscriptions