Bug 974271 - (CVE-2013-2166, CVE-2013-2167) CVE-2013-2166 CVE-2013-2167 python-keystoneclient: middleware memcache encryption and signing bypass
CVE-2013-2166 CVE-2013-2167 python-keystoneclient: middleware memcache encryp...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130619,repo...
: Security
Depends On: 974273 974274 974275 976024 976025
Blocks: 974276
  Show dependency treegraph
 
Reported: 2013-06-13 15:49 EDT by Kurt Seifried
Modified: 2016-04-27 00:53 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-06 00:54:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
client-CVE-2013-2166-CVE-2013-2167.patch (29.74 KB, patch)
2013-06-13 16:40 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-06-13 15:49:46 EDT
Thierry Carrez (secalert@redhat.com) reports:

Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-keystoneclient
Affects: version 0.2.3 to 0.2.5

Description:
Paul McMillan from Nebula reported multiple issues in the implementation
of memcache signing/encryption feature in Keystone client middleware. An
attacker with direct write access to the memcache backend (or in a
man-in-the-middle position) could insert malicious data and potentially
bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167)
security strategy that was specified. Only setups that make use of
memcache caching in the Keystone middleware (specify memcache_servers)
and using ENCRYPT or MAC as their memcache_security_strategy are affected.
Comment 2 Kurt Seifried 2013-06-13 15:59:06 EDT
In general the memcached for OpenStack (and any memcached deployment generally speaking) should be restricted to trusted systems due to the lack of authentication in memcached. However the signing/encryption of data within memcached is an attempt to alleviate this problems so systems using these capabilities may have exposed memcached to untrusted systems.
Comment 4 Kurt Seifried 2013-06-13 16:40:21 EDT
Created attachment 760946 [details]
client-CVE-2013-2166-CVE-2013-2167.patch
Comment 5 Kurt Seifried 2013-06-13 16:48:34 EDT
Red Hat OpenStack 1 (Essex) and 2.1 (Folsom) do not contain the affected code and are not affected as such.
Comment 9 Kurt Seifried 2013-06-19 14:43:05 EDT
THIs is now public http://openwall.com/lists/oss-security/2013/06/19/5
Comment 10 Kurt Seifried 2013-06-19 14:44:36 EDT
Created python-keystoneclient tracking bugs for this issue

Affects: epel-6 [bug 976024]
Comment 11 Kurt Seifried 2013-06-19 14:45:18 EDT
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-all [bug 976025]
Comment 13 Murray McAllister 2013-06-24 02:35:10 EDT
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Paul McMillan of Nebula as the original
reporter.
Comment 14 errata-xmlrpc 2013-06-27 12:51:02 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0992 https://rhn.redhat.com/errata/RHSA-2013-0992.html
Comment 15 Fedora Update System 2013-08-14 22:34:24 EDT
python-keystoneclient-0.2.3-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.