Bug 957033 (CVE-2013-2013) - CVE-2013-2013 OpenStack keystone: password disclosure on command line
Summary: CVE-2013-2013 OpenStack keystone: password disclosure on command line
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-2013
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 957034 957035 957036 971746 971837
Blocks: 957037
TreeView+ depends on / blocked
 
Reported: 2013-04-26 08:29 UTC by Kurt Seifried
Modified: 2021-02-17 07:45 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-07 00:32:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 938315 0 None None None Never

Description Kurt Seifried 2013-04-26 08:29:59 UTC 
Jake Dahn reports:

Updating password via CLI should be done via a secure password prompt, not text.

current: keystone user-password-update --user=jake --password=foo

expected: keystone user-password-update --user=jake
                        Password:
                        Repeat Password:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.
Comment 1 Kurt Seifried 2013-04-26 08:33:36 UTC 
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 957034]
Comment 2 Kurt Seifried 2013-04-26 08:34:34 UTC 
Created openstack-keystone tracking bugs for this issue

Affects: epel-6 [bug 957035]
Comment 4 Alan Pevec 2013-04-26 19:00:35 UTC 
Upstream RFE
https://blueprints.launchpad.net/python-keystoneclient/+spec/prompt-for-password
Comment 5 Kurt Seifried 2013-05-22 23:38:58 UTC 
Jeremy Stanley (jeremy) reports:

Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing the process and potentially leaves
a record of the password within the shell command history.

Fix:
https://review.openstack.org/28702

External references:
https://bugs.launchpad.net/python-keystoneclient/+bug/938315
Comment 6 Jan Lieskovsky 2013-06-07 11:40:17 UTC 
Created python-keystoneclient tracking bugs for this issue

Affects: fedora-rawhide [bug 971837]
Comment 7 Alan Pevec 2013-06-28 19:16:48 UTC 
Fixed in python-keystoneclient 0.2.4

http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77
Comment 8 Fedora Update System 2013-08-19 18:07:38 UTC 
python-keystoneclient-0.2.0-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-08-21 00:08:58 UTC 
python-keystoneclient-0.2.0-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Garth Mollett 2014-03-07 00:32:12 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.