Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 974271 (CVE-2013-2166, CVE-2013-2167) - CVE-2013-2166 CVE-2013-2167 python-keystoneclient: middleware memcache encryption and signing bypass
Summary: CVE-2013-2166 CVE-2013-2167 python-keystoneclient: middleware memcache encryp...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2166, CVE-2013-2167
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 974273 974274 974275 976024 976025
Blocks: 974276
TreeView+ depends on / blocked
 
Reported: 2013-06-13 19:49 UTC by Kurt Seifried
Modified: 2021-02-17 07:37 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-06 05:54:48 UTC


Attachments (Terms of Use)
client-CVE-2013-2166-CVE-2013-2167.patch (29.74 KB, patch)
2013-06-13 20:40 UTC, Kurt Seifried
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0992 0 normal SHIPPED_LIVE Important: python-keystoneclient security, bug fix, and enhancement update 2013-06-27 20:44:09 UTC

Description Kurt Seifried 2013-06-13 19:49:46 UTC
Thierry Carrez (secalert@redhat.com) reports:

Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-keystoneclient
Affects: version 0.2.3 to 0.2.5

Description:
Paul McMillan from Nebula reported multiple issues in the implementation
of memcache signing/encryption feature in Keystone client middleware. An
attacker with direct write access to the memcache backend (or in a
man-in-the-middle position) could insert malicious data and potentially
bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167)
security strategy that was specified. Only setups that make use of
memcache caching in the Keystone middleware (specify memcache_servers)
and using ENCRYPT or MAC as their memcache_security_strategy are affected.

Comment 2 Kurt Seifried 2013-06-13 19:59:06 UTC
In general the memcached for OpenStack (and any memcached deployment generally speaking) should be restricted to trusted systems due to the lack of authentication in memcached. However the signing/encryption of data within memcached is an attempt to alleviate this problems so systems using these capabilities may have exposed memcached to untrusted systems.

Comment 4 Kurt Seifried 2013-06-13 20:40:21 UTC
Created attachment 760946 [details]
client-CVE-2013-2166-CVE-2013-2167.patch

Comment 5 Kurt Seifried 2013-06-13 20:48:34 UTC
Red Hat OpenStack 1 (Essex) and 2.1 (Folsom) do not contain the affected code and are not affected as such.

Comment 9 Kurt Seifried 2013-06-19 18:43:05 UTC
THIs is now public http://openwall.com/lists/oss-security/2013/06/19/5

Comment 10 Kurt Seifried 2013-06-19 18:44:36 UTC
Created python-keystoneclient tracking bugs for this issue

Affects: epel-6 [bug 976024]

Comment 11 Kurt Seifried 2013-06-19 18:45:18 UTC
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-all [bug 976025]

Comment 13 Murray McAllister 2013-06-24 06:35:10 UTC
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Paul McMillan of Nebula as the original
reporter.

Comment 14 errata-xmlrpc 2013-06-27 16:51:02 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0992 https://rhn.redhat.com/errata/RHSA-2013-0992.html

Comment 15 Fedora Update System 2013-08-15 02:34:24 UTC
python-keystoneclient-0.2.3-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.