Thierry Carrez (secalert) reports: Title: Issues in Keystone middleware memcache signing/encryption feature Reporter: Paul McMillan (Nebula) Products: python-keystoneclient Affects: version 0.2.3 to 0.2.5 Description: Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected.
In general the memcached for OpenStack (and any memcached deployment generally speaking) should be restricted to trusted systems due to the lack of authentication in memcached. However the signing/encryption of data within memcached is an attempt to alleviate this problems so systems using these capabilities may have exposed memcached to untrusted systems.
Created attachment 760946 [details] client-CVE-2013-2166-CVE-2013-2167.patch
Red Hat OpenStack 1 (Essex) and 2.1 (Folsom) do not contain the affected code and are not affected as such.
THIs is now public http://openwall.com/lists/oss-security/2013/06/19/5
Created python-keystoneclient tracking bugs for this issue Affects: epel-6 [bug 976024]
Created python-keystoneclient tracking bugs for this issue Affects: fedora-all [bug 976025]
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Paul McMillan of Nebula as the original reporter.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:0992 https://rhn.redhat.com/errata/RHSA-2013-0992.html
python-keystoneclient-0.2.3-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.