749385 – (CVE-2011-4076) CVE-2011-4076 openstack-nova: EC2 API password leak

Bug 749385 (CVE-2011-4076) - CVE-2011-4076 openstack-nova: EC2 API password leak

Summary: CVE-2011-4076 openstack-nova: EC2 API password leak

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2011-4076
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-26 21:22 UTC by Mark McLoughlin
Modified:	2015-07-27 08:24 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-09 20:08:24 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	868360	0	None	None	None	Never

Description Mark McLoughlin 2011-10-26 21:22:05 UTC

From:

 https://bugs.launchpad.net/nova/+bug/868360

 If the secret key doesn't match for the ec2 request, the exception
 passed back to the user, showing the correct password.

 To replicate:
 # export EC2_ACCESS_KEY='oomNAG3AGwnlKDAM9gFe'
 # export EC2_SECRET_KEY='anything'
 # euca-describe-instances
 [...]
 InvalidSignature: Invalid signature 
 w6q++6lcvoEcBkcQuT1yNDURSpM8tq3a+WbhYeKWuX4= for user 
 User('nova', 'nova', 'oomNAG3AGwnlKDAM9gFe', 'eXTMGYDx7FhSI7ng3YfE', True).

i.e. the correct password is leaked back to the user if the incorrect password is given

CVE 2011-4076 is reserved for the issue

Comment 1 Mark McLoughlin 2011-10-26 21:26:36 UTC

Although a serious security issue, it's actually quite unlikely anyone has Fedora 16 OpenStack deployed in a hostile environment - the default configuration does no password checking for this API and we haven't even written any instructions for configuring, or test cases for testing, the API with authentication enabled

Comment 2 Mark McLoughlin 2011-10-26 21:28:04 UTC

(In reply to comment #1)
> Although a serious security issue, it's actually quite unlikely anyone has
> Fedora 16 OpenStack deployed in a hostile environment

Obviously, I forgot to include "*yet*" - we may well see such deployments, but I don't think any exist yet

Comment 3 Mark McLoughlin 2011-10-26 21:44:26 UTC

Proposing as a F16 freeze exception since going ahead and shipping with such a security issue in a Fedora 16 Feature seems like a bad idea

https://fedoraproject.org/wiki/Features/OpenStack

Comment 4 Fedora Update System 2011-10-26 21:45:35 UTC

openstack-nova-2011.3-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openstack-nova-2011.3-6.fc16

Comment 5 Adam Williamson 2011-10-27 06:28:48 UTC

is this stuff actually on the dvd and included in any kind of selectable package set? if not, it really doesn't make much difference whether it 'makes the release' or goes out as an update.

Comment 6 Jan Lieskovsky 2011-10-27 08:46:04 UTC

The CVE identifier of CVE-2011-4076 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/10/25/4

Note: Wasn't sure if security response bug is necessary also for
      upcoming F-16 packages. Will know next time, thanks for
      dealing with this one.

Comment 7 Adam Williamson 2011-10-28 19:35:39 UTC

Discussed at 2011-10-28 NTH review meeting. Rejected as NTH as openstack is not on any release media so this can safely be fixed with a 0-day update, it does not need to go through the freeze.

Note You need to log in before you can comment on or make changes to this bug.