Bug 749385 (CVE-2011-4076) - CVE-2011-4076 openstack-nova: EC2 API password leak
Summary: CVE-2011-4076 openstack-nova: EC2 API password leak
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2011-4076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-26 21:22 UTC by Mark McLoughlin
Modified: 2015-07-27 08:24 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-09 20:08:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 868360 None None None Never

Description Mark McLoughlin 2011-10-26 21:22:05 UTC
From:

 https://bugs.launchpad.net/nova/+bug/868360

 If the secret key doesn't match for the ec2 request, the exception
 passed back to the user, showing the correct password.

 To replicate:
 # export EC2_ACCESS_KEY='oomNAG3AGwnlKDAM9gFe'
 # export EC2_SECRET_KEY='anything'
 # euca-describe-instances
 [...]
 InvalidSignature: Invalid signature 
 w6q++6lcvoEcBkcQuT1yNDURSpM8tq3a+WbhYeKWuX4= for user 
 User('nova', 'nova', 'oomNAG3AGwnlKDAM9gFe', 'eXTMGYDx7FhSI7ng3YfE', True).

i.e. the correct password is leaked back to the user if the incorrect password is given

CVE 2011-4076 is reserved for the issue

Comment 1 Mark McLoughlin 2011-10-26 21:26:36 UTC
Although a serious security issue, it's actually quite unlikely anyone has Fedora 16 OpenStack deployed in a hostile environment - the default configuration does no password checking for this API and we haven't even written any instructions for configuring, or test cases for testing, the API with authentication enabled

Comment 2 Mark McLoughlin 2011-10-26 21:28:04 UTC
(In reply to comment #1)
> Although a serious security issue, it's actually quite unlikely anyone has
> Fedora 16 OpenStack deployed in a hostile environment

Obviously, I forgot to include "*yet*" - we may well see such deployments, but I don't think any exist yet

Comment 3 Mark McLoughlin 2011-10-26 21:44:26 UTC
Proposing as a F16 freeze exception since going ahead and shipping with such a security issue in a Fedora 16 Feature seems like a bad idea

https://fedoraproject.org/wiki/Features/OpenStack

Comment 4 Fedora Update System 2011-10-26 21:45:35 UTC
openstack-nova-2011.3-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openstack-nova-2011.3-6.fc16

Comment 5 Adam Williamson 2011-10-27 06:28:48 UTC
is this stuff actually on the dvd and included in any kind of selectable package set? if not, it really doesn't make much difference whether it 'makes the release' or goes out as an update.

Comment 6 Jan Lieskovsky 2011-10-27 08:46:04 UTC
The CVE identifier of CVE-2011-4076 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/10/25/4

Note: Wasn't sure if security response bug is necessary also for
      upcoming F-16 packages. Will know next time, thanks for
      dealing with this one.

Comment 7 Adam Williamson 2011-10-28 19:35:39 UTC
Discussed at 2011-10-28 NTH review meeting. Rejected as NTH as openstack is not on any release media so this can safely be fixed with a 0-day update, it does not need to go through the freeze.


Note You need to log in before you can comment on or make changes to this bug.