Bug 749385 (CVE-2011-4076)

Summary: CVE-2011-4076 openstack-nova: EC2 API password leak
Product: [Other] Security Response Reporter: Mark McLoughlin <markmc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: alexander.sakhnov, apevec, awilliam, jlieskov, jrusnack, lpeer, markmc, matt_domsch, mlvov, p, rbryant, sdake
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-09 20:08:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark McLoughlin 2011-10-26 21:22:05 UTC
From:

 https://bugs.launchpad.net/nova/+bug/868360

 If the secret key doesn't match for the ec2 request, the exception
 passed back to the user, showing the correct password.

 To replicate:
 # export EC2_ACCESS_KEY='oomNAG3AGwnlKDAM9gFe'
 # export EC2_SECRET_KEY='anything'
 # euca-describe-instances
 [...]
 InvalidSignature: Invalid signature 
 w6q++6lcvoEcBkcQuT1yNDURSpM8tq3a+WbhYeKWuX4= for user 
 User('nova', 'nova', 'oomNAG3AGwnlKDAM9gFe', 'eXTMGYDx7FhSI7ng3YfE', True).

i.e. the correct password is leaked back to the user if the incorrect password is given

CVE 2011-4076 is reserved for the issue

Comment 1 Mark McLoughlin 2011-10-26 21:26:36 UTC
Although a serious security issue, it's actually quite unlikely anyone has Fedora 16 OpenStack deployed in a hostile environment - the default configuration does no password checking for this API and we haven't even written any instructions for configuring, or test cases for testing, the API with authentication enabled

Comment 2 Mark McLoughlin 2011-10-26 21:28:04 UTC
(In reply to comment #1)
> Although a serious security issue, it's actually quite unlikely anyone has
> Fedora 16 OpenStack deployed in a hostile environment

Obviously, I forgot to include "*yet*" - we may well see such deployments, but I don't think any exist yet

Comment 3 Mark McLoughlin 2011-10-26 21:44:26 UTC
Proposing as a F16 freeze exception since going ahead and shipping with such a security issue in a Fedora 16 Feature seems like a bad idea

https://fedoraproject.org/wiki/Features/OpenStack

Comment 4 Fedora Update System 2011-10-26 21:45:35 UTC
openstack-nova-2011.3-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openstack-nova-2011.3-6.fc16

Comment 5 Adam Williamson 2011-10-27 06:28:48 UTC
is this stuff actually on the dvd and included in any kind of selectable package set? if not, it really doesn't make much difference whether it 'makes the release' or goes out as an update.

Comment 6 Jan Lieskovsky 2011-10-27 08:46:04 UTC
The CVE identifier of CVE-2011-4076 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/10/25/4

Note: Wasn't sure if security response bug is necessary also for
      upcoming F-16 packages. Will know next time, thanks for
      dealing with this one.

Comment 7 Adam Williamson 2011-10-28 19:35:39 UTC
Discussed at 2011-10-28 NTH review meeting. Rejected as NTH as openstack is not on any release media so this can safely be fixed with a 0-day update, it does not need to go through the freeze.