OpenStack - User contributions [en]

Security Notes

2016-06-09T19:51:41Z

Nkinder: /* Published Security Notes */

The OpenStack Security Project (OSSP) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0068|OSSN-0068]] - DoS style attack on keystone, using repeated token revocation requests, can lead to service degradation or disruption
* [[OSSN/OSSN-0067|OSSN-0067]] - Barbican server discloses SQL password and X-auth token values via LOG.debug ("work in progress")
* [[OSSN/OSSN-0066|OSSN-0066]] - mongodb guest instance allows any user to connect ("work in progress")
* [[OSSN/OSSN-0065|OSSN-0065]] - Glance embargoed issue ("work in progress")
* [[OSSN/OSSN-0064|OSSN-0064]] - Keystone 'Admin_Token' in default configuration leads to insecure operation ("work in progress")
* [[OSSN/OSSN-0063|OSSN-0063]] - Nova and Cinder key manager for Barbican misuses cached credentials (9 Jun 2016)
* [[OSSN/OSSN-0062|OSSN-0062]] - Potential reuse of revoked Identity tokens (15 Dec 2015)
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)
* [[OSSN/OSSN-0060|OSSN-0060]] - Glance configuration option can lead to privilege escalation (25 Jan 2016)
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0063

2016-06-09T19:49:11Z

Nkinder: Created page with "__NOTOC__ == Nova and Cinder key manager for Barbican misuses cached credentials == === Summary === During the Icehouse release the Cinder and Nova projects added a feature t..."

__NOTOC__

== Nova and Cinder key manager for Barbican misuses cached credentials ==
=== Summary ===
During the Icehouse release the Cinder and Nova projects added a feature
that supports storage volume encryption using keys stored in Barbican.
The Barbican key manager, that is part of Nova and Cinder, had a bug
that could cause an authorized user to lose access to an encryption key
or allow the wrong user to gain access to an encryption key.

=== Affected Services / Software ===
Cinder: Icehouse, Juno, Kilo, Liberty
Nova: Juno, Kilo, Liberty

=== Discussion ===
The Barbican key manager is a feature that is part of Nova and Cinder to
allow those projects to create and retrieve keys in Barbican. The key
manager includes a cache function that allows for a copy_key() operation
to work while only validating the token once with Keystone.

This cache function had a bug such that the cached token was used for
operations where it was no longer valid. The symptoms of this error
vary, but include a user not being able to access their key or the wrong
user being able to access a key.

An affected user would see an error similar to this in their cinder log:

2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The
request you have made requires authentication. (Disable debug mode to
suppress these details.) (HTTP 401) (Request-ID:
req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)

=== Recommended Actions ===
Users wishing to use the Barbican key manager to provided keys for
volume encryption with Nova and Cinder should ensure they are using a
patched version.

A specification for a fix has been merged for the Mitaka release of both
Nova and Cinder. Additionally these patches have been backported to
stable/kilo and stable/liberty.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1523646
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Nova patch for Mitaka : https://review.openstack.org/254358/
* Nova patch for stable/liberty: https://review.openstack.org/288490
* Cinder patch for Mitaka : https://review.openstack.org/254357/
* Cinder patch for stable/liberty: https://review.openstack.org/266678
* Cinder patch for stable/kilo: https://review.openstack.org/266680
* CVE : N/A

OSSN/OSSN-0060

2016-01-25T20:56:17Z

Nkinder: /* Contacts / References */

__NOTOC__

== Glance configuration option can lead to privilege escalation ==
=== Summary ===
Glance exposes a configuration option called `use_user_token` in the
configuration file `glance-api.conf`. It should be noted that the
default setting (`True`) is secure. If, however, the setting is
changed to `False` and valid admin credentials are supplied in the
following section (`admin_user` and `admin_password`), Glance API
commands will be executed with admin privileges regardless of the
intended privilege level of the calling user.

=== Affected Services / Software ===
Glance, Juno, Kilo, Liberty

=== Discussion ===
The `use_user_token` configuration option was created to enable
automatic re-authentication for tokens whch are close to expiration,
thus preventing the tokens from expiring in the middle of
longer-lasting Glance commands. Unfortunately the implementation
enables privilege escalation attacks by automatically executing API
commands as an administrator level user.

By default `use_user_token` is set to `True` which is secure. If the
option is disabled (set to `False`) and valid admin credentials are
specified in the `glance-api.conf` file, API commands will be executed
as the supplied admin user regardless of the intended privileges of the
calling user. Glance API v2 configurations which don't enable the
registry service (`data_api = glance.db.registry.api`) aren't affected.

Enabling unauthenticated and lower privileged users to execute Glance
commands with administrator privileges is very dangerous and may
expose risks including:
* tampering with images
* deleting images
* denial of service attacks

=== Recommended Actions ===
A comprehensive fix will be included in the Mitaka release. Meanwhile
it is recommended that all users ensure that `use_user_token` is left
at the default setting (`True`) or commented out.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448
* OpenStack Security Documentation : https://security.openstack.org
* OpenStack Security Project : https://wiki.openstack.org/wiki/Security
* Bug Introduction : https://review.openstack.org/#/c/29967/

Security Notes

2016-01-25T20:55:36Z

Nkinder: /* Published Security Notes */

The OpenStack Security Project (OSSP) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0063|OSSN-0063]] - Improper use of cached credentials in Nova and Cinder Key Manager ('''work in progress''')
* [[OSSN/OSSN-0062|OSSN-0062]] - Potential reuse of revoked Identity tokens (15 Dec 2015)
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)
* [[OSSN/OSSN-0060|OSSN-0060]] - Glance configuration option can lead to privilege escalation (25 Jan 2016)
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

Security Notes

2015-12-15T23:00:41Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens (15 Dec 2015)
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0062

2015-12-15T23:00:16Z

Nkinder: Created page with "__NOTOC__ == Potential reuse of revoked Identity tokens == === Summary === An authorization token issued by the Identity service can be revoked, which is designed to immediat..."

__NOTOC__

== Potential reuse of revoked Identity tokens ==
=== Summary ===
An authorization token issued by the Identity service can be revoked,
which is designed to immediately make that token invalid for future use.
When the PKI or PKIZ token providers are used, it is possible for an
attacker to manipulate the token contents of a revoked token such that
the token will still be considered to be valid. This can allow
unauthorized access to cloud resources if a revoked token is intercepted
by an attacker.

=== Affected Services / Software ===
Keystone, Icehouse, Juno, Kilo, Liberty

=== Discussion ===
Token revocation is used in OpenStack to invalidate a token for further
use. This token revocation takes place automatically in certain
situations, such as when a user logs out of the Dashboard. If a revoked
token is obtained by another party, it should no longer be possible to
use it to perform any actions within the cloud. Unfortunately, this is
not the case when the PKI or PKIZ token providers are used.

When a PKI or PKIZ token is validated, the Identity service checks it
by searching for a revocation by the entire token. It is possible for
an attacker to manipulate portions of an intercepted PKI or PKIZ token
that are not cryptographically protected, which will cause the
revocation check to improperly consider the token to be valid.

=== Recommended Actions ===
We recommend that you do not use the PKI or PKIZ token providers. The
PKI and PKIZ token providers do not offer any significant benefit over
other token providers such as the UUID or Fernet.

If you are using the PKI or PKIZ token providers, it is recommended that
you switch to using another supported token provider such as the UUID
provider. This issue might be fixed in a future update of the PKI and
PKIZ token providers in the Identity service.

To check what token provider you are using, you must look in the
'keystone.conf' file for your Identity service. An example is provided
below:

[token]
#provider = keystone.token.providers.pki.Provider
#provider = keystone.token.providers.pkiz.Provider
provider = keystone.token.providers.uuid.Provider

In the Liberty release of the Identity service, the token provider
configuration is different than previous OpenStack releases. An
example from the Libery release is provided below:

[token]
#provider = pki
#provider = pkiz
provider = uuid

These configuration snippets are using the UUID token provider. If you
are using any of the commented out settings from these examples, your
cloud is vulnerable to this issue and you should switch to a different
token provider.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0062
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1490804
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* CVE: CVE-2015-7546

Security Notes

2015-12-15T22:43:32Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

Security Notes

2015-12-15T22:39:36Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5)
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0061

2015-12-15T22:38:42Z

Nkinder:

__NOTOC__

== Glance image signature uses an insecure hash algorithm (MD5) ==

=== Summary ===
During the Liberty release the Glance project added a feature that
supports verifying images by their signature. There is a flaw in the
implementation that degrades verification by using the weak MD5
algorithm.

=== Affected Services / Software ===
Glance, Liberty

=== Discussion ===
A signature algorithm is typically created by hashing data and then
encrypting that hash in some way. In the case of the new Glance feature
the signature algorithm does not hash the image to be verified. It
rehashes the existing MD5 checksum that is used to locally verify the
integrity of image data stored in Glance.

The Glance image signature algorithm uses configurable hash algorithms.
No matter which algorithm is used, the overall security of the algorithm
is degraded to that of MD5 because instead of applying it to the image
data it's applied only to the MD5 checksum that already exists in
Glance.

The image signature algorithm is a relatively new feature, introduced in
the Liberty release.

=== Recommended Actions ===
Users concerned with image security should be aware that the current
Glance signature algorithm is not secure by todays cryptographic
standards.

A specification for a fix has been proposed by the Glance development
team and is targeted for the Mitaka release.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0061
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1516031
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Glance Spec for fix : https://review.openstack.org/#/c/252462/
* CVE : CVE-2015-8234

Security Notes

2015-12-15T20:23:17Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance images signatures insecure hashes ('''work in progress''')
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

Security Notes

2015-11-16T21:33:58Z

Nkinder:

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0059

2015-11-16T21:33:02Z

Nkinder:

__notoc__

== Trusted VM can be powered on untrusted hosts ==
=== Summary ===
A trusted VM that has been launched earlier on a trusted host can
still be powered on from the same host even after the trusted host is
compromised.

=== Affected Services / Software ===
Nova, Trusted Computing Pools

=== Discussion ===
Trusted Computing Pools aim to ensure the trustworthiness of the hosts
leveraging hardware-based security features. When an instance is
scheduled, the scheduler finds a trusted host by calling the remote
Attestation API for each host to check whether it is trusted or not.
Then, the scheduler calls the corresponding compute node to launch
the VM. Once the VM is launched, the scheduler is no longer involved
unless a migration, a resize or an evacuation is asked for that VM.

Malicious users can bypass the trust check by the Attestation API using
these steps:

# Launch a trusted VM on a trusted host
# Stop the VM on the trusted host
# Compromise the host
# Power on the VM from the compromised host. There is no check by the Attestation API for powering on the VM in this case.

=== Recommended Actions ===
We recommend investigating further if the trust check by Attestation
API fails but the VM still boots. Another approach is to combine
secure boot with trusted boot. At the same time, Nova team has
discussed deprecating Trusted Filter.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0059
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1456228
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Nova Team Email Proposing Deprecation : http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html
* CR Demoting TrustedFilter to "experimental" : https://review.openstack.org/#/c/194592

Security Notes

2015-10-15T22:08:30Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0057

2015-10-15T22:07:40Z

Nkinder: Created page with "__NOTOC__ == DoS attack on Glance service can lead to interruption or disruption == === Summary === The typical Glance workflow allows authenticated users to create an image..."

__NOTOC__

== DoS attack on Glance service can lead to interruption or disruption ==

=== Summary ===
The typical Glance workflow allows authenticated users to create an
image and upload the image content in a separate step. This can be
abused by malicious users to flood the Glance database with entries
for zero sized images.

=== Affected Services / Software ===
Glance, Icehouse, Juno, Kilo, Liberty

=== Discussion ===
Glance by default allows an authenticated user to create zero size
images. Those images do not consume resources on the storage backend
and do not hit any limits for size, but do take up space in the
database.

Malicious users can potentially cause database resource depletion with
an endless flood of 'image-create' requests.

=== Recommended Actions ===
For current stable OpenStack releases, users can workaround this
vulnerability by using rate-limiting proxies to cover access to the
Glance API. Rate-limiting is a common mechanism to prevent DoS and
Brute-Force attacks. Rate limiting on the API requests allows a delay
in the consequences of the attack, but does not prevent it.

For example, if you are using a proxy such as Repose, enable the rate
limiting feature by following these steps:

https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter

An alternative approach to mitigate this issue would be to restrict
image creates to trusted administrators within your deployed Glance
policy.json file.

"add_image": "role:admin",

Another preventative action would be to monitor the logs to identify
excessive image create requests. One example of such a log message from glance-api.log
is as follows (single line, wrapped):

DEBUG glance.registry.client.v1.api [req-da1cafc0-f41f-4587-a484-672ba7f3546e
admin 8b04efc28055428c940505838314f262 - - -]
Adding image metadata... add_image_metadata
/usr/lib/python2.7/dist-packages/glance/registry/client/v1/api.py:161

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0057
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1401170
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

OSSN/OSSN-0033

2015-09-23T19:39:58Z

Nkinder: /* Contacts / References */

__NOTOC__
== Some SSL-Enabled connections fail to perform basic certificate checks ==

=== Summary ===
In many places, OpenStack components use Python 2.x HTTPSConnection to
establish an SSL connection between endpoints. This does not provide
many of the assurances one would expect when using SSL and leaves
connections open to potential man-in-the-middle attacks.

=== Affected Services / Software ===
All OpenStack services, Havana, Icehouse, Juno

=== Discussion ===
A secure SSL session relies on validation of a X.509 certificate. Basic
checks include:

* Certificate Authority trust verification
* Certificate revocation status
* Certificate expiration
* Certificate subject name matching

The HTTPSConnection class is used in a large number of locations and
fails to check that certificates are signed by a valid authority.
Without that check in place, the subsequent checks (some highlighted
above) are largely invalid.

The result is that an attacker who has access to the network traffic
between two endpoints relying on HTTPSConnection can trivially create a
certificate that will be accepted by HTTPSConnection as valid - allowing
the attacker to intercept, read and modify traffic that should be
encrypted by SSL.

=== Recommended Actions ===
Some projects have updated their code to be more secure, others have
not. The OSSG suggest cloud deployers check the status of the bug
mentioned in the 'References' section of this note to see if the
projects they require have updated.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0033
* Launchpad Bugs :
** https://bugs.launchpad.net/ossn/+bug/1188189
** https://bugs.launchpad.net/ossn/+bug/1436082
** https://bugs.launchpad.net/nova/+bug/1276207
** https://bugs.launchpad.net/vmware-nsx/+bug/1487962
** https://bugs.launchpad.net/vmware-nsx/+bug/1488265
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

OSSN/OSSN-0033

2015-09-23T19:38:31Z

Nkinder: /* Contacts / References */

__NOTOC__
== Some SSL-Enabled connections fail to perform basic certificate checks ==

=== Summary ===
In many places, OpenStack components use Python 2.x HTTPSConnection to
establish an SSL connection between endpoints. This does not provide
many of the assurances one would expect when using SSL and leaves
connections open to potential man-in-the-middle attacks.

=== Affected Services / Software ===
All OpenStack services, Havana, Icehouse, Juno

=== Discussion ===
A secure SSL session relies on validation of a X.509 certificate. Basic
checks include:

* Certificate Authority trust verification
* Certificate revocation status
* Certificate expiration
* Certificate subject name matching

The HTTPSConnection class is used in a large number of locations and
fails to check that certificates are signed by a valid authority.
Without that check in place, the subsequent checks (some highlighted
above) are largely invalid.

The result is that an attacker who has access to the network traffic
between two endpoints relying on HTTPSConnection can trivially create a
certificate that will be accepted by HTTPSConnection as valid - allowing
the attacker to intercept, read and modify traffic that should be
encrypted by SSL.

=== Recommended Actions ===
Some projects have updated their code to be more secure, others have
not. The OSSG suggest cloud deployers check the status of the bug
mentioned in the 'References' section of this note to see if the
projects they require have updated.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0033
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1188189
* Launchpad Bugs :
** https://bugs.launchpad.net/ossn/+bug/1188189
** https://bugs.launchpad.net/ossn/+bug/1436082
** https://bugs.launchpad.net/nova/+bug/1276207
** https://bugs.launchpad.net/vmware-nsx/+bug/1487962
** https://bugs.launchpad.net/vmware-nsx/+bug/1488265
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security Notes

2015-09-23T19:21:19Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0053

2015-09-23T19:20:57Z

Nkinder:

__NOTOC__

== Keystone token disclosure may result in malicious trust creation ==
=== Summary ===
Keystone tokens are the foundation of authentication and authorization
in OpenStack. When a service node is compromised, it is possible that
an attacker would have access to all tokens passing through that node.
With a valid token an attacker will be able to issue new tokens that
may be used to create trusts between the originating user and a new
user.

=== Affected Services / Software ===
Keystone, Grizzly, Havana, Icehouse, Juno, Kilo

=== Discussion ===
If a service node is compromised, an attacker now has access to every
token that passes through that node. By default, a Keystone token can
be exchanged for another token, and there is no restriction on scoping
of the new token. With the trust API, these tokens can be used to
delegate roles between the original user and a new user.

Trusts allow a user to set up a long term delegation that permits
another user to perform operations on their behalf. While tokens
created through trusts are limited in what they can do, the
limitations are only on things like changing passwords or creating
new tokens. This would grant an attacker access to all the operations
available to the originating user in their projects, and the roles that
are delegated through the trust.

There are other ways that a compromised token can be misused beyond the
methods described here. This note addresses one possible path for
vulnerabilities based on the unintended access that could be gained
from trusts created through intercepted tokens.

This behavior is intrinsic to the bearer token model used within
Keystone / OpenStack.

=== Recommended Actions ===
The following steps are recommended to reduce exposure, based on the
granularity and accepted level of risk in a given environment:

1. Monitor and audit trust creation events within your environment.
Keystone emits notifications on trust creation and deletion that are
accessible through system logs or, if configured, the CADF
data/security/trust resource extension.

2. Offer roles that cannot create trusts / delegate permissions /
assign new roles via Keystone to users. This limits the vector of
attack to compromising Keystone directly or man-in-the-middle capture
of a separate token that has the authorization to create
trusts/delegate/assign roles.

3. Retain the default token lifespan of 1 hour. Many workloads require
a single token for the whole workload, and take more than one hour, so
installations have increased token lifespans back to the old value of
24 hours - increasing their exposure to this issue.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0053
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1455582
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Hierarchical Roles : https://review.openstack.org/#/c/125704
* Policy by URL : https://review.openstack.org/#/c/192422
* Unified policy file : https://review.openstack.org/#/c/134656
* Endpoint_ID from URL : https://review.openstack.org/#/c/199844

Security Notes

2015-09-18T02:21:22Z

Nkinder:

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0056

2015-09-18T02:20:42Z

Nkinder:

__NOTOC__

== Cached keystone tokens may be accepted after revocation ==
=== Summary ===
Keystone auth_token middleware token and revocation list caching is used
to reduce the load on the keystone service. The default token cache time
is set to 300 seconds and the default token revocation list cache time
is set to 10 seconds. This creates a misleading expectation that revoked
tokens will not be accepted more than 10 seconds after revocation,
however the maximum validity of a cached token must be assumed to be the
cache duration. System owners should make a risk based decision to
balance token lifespan with performance requirements and if the use of
revoked tokens is an unacceptable risk then caching should be disabled.

=== Affected Services / Software ===
OpenStack Services that use Keystone middleware: Juno, Kilo, Liberty

=== Discussion ===
There are multiple options for configuring token caching in the keystone
auth_token middleware. These options include token_cache_time,
revocation_cache_time and check_revocations_for_cached, with each option
affecting the different stages of token caching and revocation.
Depending on the configuration the previously mentioned options, an
attacker could use a compromised token for up to token_cache_time seconds
before the token becomes disabled. To mitigate this vulnerability, a
change was issued in Juno where the default Token Revocation List (TRL)
cache time was reduced to 10 seconds and the
check_revocations_for_cached option was added. The addition of a token
to a TRL does not guarantee that cached tokens will be rejected
considering the operational nature of token caching. For instance, if
the check_revocations_for_cached is disabled then tokens are valid after
caching token_cache_time or the designated expiration given to the
token. Otherwise (if check_revocations_for_cached is enabled) then
tokens are rejected after the revocation_cache_time.

System owners should weigh the risk of an attacker using a revoked token
versus the performance implications of reducing the token cache time.

=== Recommended Actions ===
Review the implications of the default 300 second token cache time and
any risks associated with the use of revoked tokens for up to that cache
time. If this is unacceptable, reduce the cache time to reduce the
attack window or disable token caching entirely.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0056
* Original LaunchPad Bug : https://bugs.launchpad.net/python-keystoneclient/+bug/1287301
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security Notes

2015-09-17T21:16:25Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0058

2015-09-17T21:16:02Z

Nkinder:

__NOTOC__

== Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ==
=== Summary ===
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
authentication are not formatted correctly in the tgtadm configuration
file. This leads to a condition where an operator will expect that
volumes can only be mounted with the authentication credentials when,
in fact, they can be mounted without the credentials.

=== Affected Services / Software ===
Cinder, Icehouse

=== Discussion ===
When requesting that LVMISCSIDriver based volumes use the CHAP
authentication protocol, Cinder will add the credentials for
authentication to the configuration file for the tgtadm
application. In pre-Juno versions of Cinder the key name for these
credentials is incorrect. This incorrect key name will cause tgtadm
to not properly parse those credentials.

With incorrect credentials in place, tgtadm will fail to authenticate
volume mounting when requested by Cinder. The failed setting of
credentials through the configuration file will also allow
unauthenticated access to these volumes. This can allow instances
on the same network as the volumes to mount them without providing the
credentials to the tgtadm application.

This behavior can be confirmed by displaying the accounts associated
with a volume. For volumes which have authentication enabled, you will
see an account listed in the output of the tgtadm application. The
account names created by Cinder will be randomly generated and will
appear as 20 character strings. To print the information for volumes
the following command can be run on nodes with attached volumes:

# tgtadm --lld iscsi --op show --mode target

User names will be found in the `Account information:` section.

=== Recommended Actions ===
If possible, Cinder should be updated to the Juno release or newer. If
this is not possible, then the following guidance will help mitigate
unwanted traffic to the affected nodes.

1. Identify the nodes that will be exposing Cinder volumes with the
LVMISCSIDriver and the nodes that will need to attach those volumes.

2. Implement either security group port rules or iptables rules on
the nodes exposing the volumes to only allow traffic through port 3260
from nodes that will need to attach volumes.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
* Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security Notes

2015-09-17T21:08:07Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0054

2015-09-17T21:07:27Z

Nkinder: Created page with "__NOTOC__ == Potential Denial of Service in Horizon login == === Summary === Horizon uses the Python based Django web framework. Older versions of this framework allow an una..."

__NOTOC__

== Potential Denial of Service in Horizon login ==
=== Summary ===
Horizon uses the Python based Django web framework. Older versions of
this framework allow an unauthorized user to fill up the session store
database causing a Horizon denial of service. A fix for Django is
available but works only with Kilo and later versions of Horizon.

=== Affected Services / Software ===
Horizon, Django, Essex, Folsom, Grizzly, Havana, Icehouse, Juno

=== Discussion ===
Django will record the session ID of web requests even when the request
is from an unauthorized user. This allows an attacker to populate the
session store database with invalid session information, potentially
causing a denial of service condition by filling the database with
useless session information.

=== Recommended Actions ===
The Django developers have released a fix for this issue which is
included in software versions 1.4.21, 1.7.9 and 1.8.3. Horizon
administrators should ensure that they are using an up to date version
of Django to avoid being affected by this vulnerability.

Versions of Horizon prior to Kilo cannot run with the fixed version of
Django, and may require updating to a newer version of OpenStack.
Administrators can test if their deployment is affected by attempting to
inject invalid sessions into the session store database using the
following script and then querying the session store database to check
if multiple 'aaaaa' session ID's were recorded.

for i in {1..100}
do
curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null
done

If possible, affected users should upgrade to the Kilo or newer release
of Horizon, allowing them to use the fixed version of Django.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0054
* Django fix : https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
* Django CVE : CVE-2015-5143
* Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1457551
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security Notes

2015-09-17T18:41:56Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Another Horizon login page vulnerability to a DoS attack ('''work in progress''')
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0055

2015-09-17T18:38:26Z

Nkinder:

__NOTOC__

== Service accounts may have cloud admin privileges ==
=== Summary ===
OpenStack services (for example Nova and Glance) typically use a
service account in Keystone to perform actions. In some cases this
service account has full admin privileges, may therefore perform any
action on your cloud, and should be protected appropriately.

=== Affected Services / Software ===
Most OpenStack services / all versions

=== Discussion ===
In many cases, OpenStack services require an OpenStack account to
perform API actions such as validating Keystone tokens. Some
deployment tools grant administrative level access to these service
accounts, making these accounts very powerful.

A service account with administrator access could be used to:
* destroy/modify/access data
* create or destroy admin accounts
* potentially escalate to undercloud access
* log in to Horizon

=== Recommended Actions ===
Service accounts can use the "service" role rather than admin. You
can check what role the service account has by performing the following
steps:

1. List roles:

openstack role list

2. Check the role assignment for the service user in question:

openstack role assignment list --user <service_user>

3. Compare the ID listed in the "role" column from step 2 with the role
IDs listed in step 1. If the role is listed as "admin", the service
account has full admin privileges on the cloud.

It is possible to change the role to "service" for some accounts but
this may have unexpected consequences for services such as Nova and
Neutron, and is therefore not recommended for inexperienced admins.

If a service account does have admin, it's advisable to closely
monitor login events for that user to ensure that it is not used
unexpectedly. In particular, pay attention to unusual IPs using the
service account.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0055
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security Notes

2015-09-17T18:27:16Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (2 Sep 2015)
* [[OSSN/OSSN-0054|OSSN-0054]] - Another Horizon login page vulnerability to a DoS attack ('''work in progress''')
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0052

2015-09-17T18:26:29Z

Nkinder:

__NOTOC__

== Python-swiftclient exposes raw token values in debug logs ==

=== Summary ===
The password and authentication token configuration options for the
python-swiftclient are not marked as secret. The values of these options
will be logged to the standard logging output when the controller is run
in debug mode.

=== Affected Services / Software ===
Python-swiftclient, Swift, Glance, Juno, Kilo

=== Discussion ===
When using the python-swiftclient to connect to Glance, and the
'glance-api.conf' has set the value of the debug option to True, the
requests sent through the API, including user and token details, will be
captured in the local log mechanism.

=== Recommended Actions ===
It is recommended to use the debug level in configurations only when
necessary to troubleshoot an issue. When the debug flag is set, the
resulting logs should be treated as having sensitive information and as
such should have strict permissions around the file and containing
directory set in the operating system. Additionally, the logs should
not be transported off the system in plaintext such as through syslog.

The debug level can be turned off by setting the following option in
the `glance-api.conf` file:

[DEFAULT]
debug = false

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0052
* Original LaunchPad Bug : https://bugs.launchpad.net/python-swiftclient/+bug/1470740
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

OSSN/OSSN-0049

2015-07-07T13:46:05Z

Nkinder: /* Discussion */

__NOTOC__

== Nova ironic driver logs sensitive information while operating in debug mode ==
=== Summary ===
The password and authentication token configuration options for the
ironic driver in nova are not marked as secret. The values of these
options will be logged to the standard logging output when the
controller is run in debug mode.

=== Affected Services / Software ===
Nova, Ironic, Juno, Kilo

=== Discussion ===
When using nova with the ironic driver, an operator will need to specify
either the password or an authentication token for the ironic admin
user's keystone credentials. Under normal circumstances this is not an
issue, but when running the API server with logging levels set to
include the DEBUG message level these credentials will be exposed in
the logs.

Logging of configuration values is controlled by the `secret` flag for
any oslo configuration option. Without this flag set, the value for a
configuration option will be displayed in the logs. In the case of the
ironic credentials, these options are not marked as secret.

This presents a challenge to any operator who might have increased the
log verbosity for the purposes of debugging or extended log collection.
Depending on permissions and log storage location, these values could
be read by an intruder to the system. The credentials will provide
anyone who controls them access to the ironic API server's
administrative functions. Additionally, they could be used in conjunction
with OpenStack Identity functions to issue new authentication tokens or
perform further malicious activity depending on the scope of the
administrative account access (for example, modifying account
permissions).

All nova installations that have values defined for the
`admin_password` or `admin_auth_token` options in the `ironic` section,
and have set `debug=true` in the `DEFAULT` section of their
configuration file will be affected by this issue.

=== Recommended Actions ===
As of the Liberty-1 release of nova, this issue has been resolved.
It has also been backported to the Kilo and Juno stable releases, which
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.

Where possible, nova deployments should be updated to one of these
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).

If updating the nova deployment is not feasible, operators should
turn off the debug logging level whenever it is not in use and ensure
that log files produced from those debug sessions are stored securely.
To disable the debug log level, the nova configuration file should be
editted as follows:

[DEFAULT]
debug = False

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions

Security Notes

2015-07-07T13:43:31Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0049

2015-07-07T13:42:44Z

Nkinder: Created page with "__NOTOC__ == Nova ironic driver logs sensitive information while operating in debug mode == === Summary === The password and authentication token configuration options for th..."

__NOTOC__

== Nova ironic driver logs sensitive information while operating in debug mode ==
=== Summary ===
The password and authentication token configuration options for the
ironic driver in nova are not marked as secret. The values of these
options will be logged to the standard logging output when the
controller is run in debug mode.

=== Affected Services / Software ===
Nova, Ironic, Juno, Kilo

=== Discussion ===
When using nova with the ironic driver, an operator will need to specify
either the password or an authentication token for the ironic admin
user's keystone credentials. Under normal circumstances this is not an
issue, but when running the API server with logging levels set to
include the DEBUG message level these credentials will be exposed in
the logs.

Logging of configuration values is controlled by the `secret` flag for
any oslo configuration option. Without this flag set, the value for a
configuration option will be displayed in the logs. In the case of the
ironic credentials, these options are not marked as secret.

This presents a challenge to any operator who might have increased the
log verbosity for the purposes of debugging or extended log collection.
Depending on permissions and log storage location, these values could
be read by an intruder to the system. The credentials will provide
anyone who controls them access to the ironic API server's
administrative functions. Additionally, they could be used in conjuction
with OpenStack Identity functions to issue new authentication tokens or
perform further malicious activity depending on the scope of the
administrative account access (for example, modifying account
permissions).

All nova installations that have values defined for the
`admin_password` or `admin_auth_token` options in the `ironic` section,
and have set `debug=true` in the `DEFAULT` section of their
configuration file will be affected by this issue.

=== Recommended Actions ===
As of the Liberty-1 release of nova, this issue has been resolved.
It has also been backported to the Kilo and Juno stable releases, which
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.

Where possible, nova deployments should be updated to one of these
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).

If updating the nova deployment is not feasible, operators should
turn off the debug logging level whenever it is not in use and ensure
that log files produced from those debug sessions are stored securely.
To disable the debug log level, the nova configuration file should be
editted as follows:

[DEFAULT]
debug = False

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions

Security Notes

2015-05-11T14:17:53Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0046

2015-05-11T14:17:04Z

Nkinder: /* OSSN-0046 */

__NOTOC__

== Setting services to debug mode can also set Pecan to debug ==

=== Summary ===
When debug mode is set for a service using Pecan (via ''--debug'' or
''CONF.debug=True'') Pecan is also set to debug. This can result in
accidental information disclosures.

=== Affected Services / Software ===
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar

=== Discussion ===
Although it's best practice to run production environments with
debugging functionality disabled, experience shows us that many
deployers choose to run OpenStack with debugging enabled to aid with
administration and fault finding.

When Pecan is running in debug mode, the following capabilities are made
available to anyone who can interact with the API service:

* Retrieve a stack trace of failed Pecan calls
* Retrieve a full list of environment variables containing potentially
sensitive information such as API credentials, passwords etc.
* Set an execution breakpoint which hangs the service with a pdb shell,
resulting in a denial of service

=== Recommended Actions ===
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.
Deployers are encouraged to apply these fixes (see launchpad bug in
References) in their clouds. For services that do not have a fix, or
where fixes cannot be applied in existing deployments, we advise not
using the debug configuration for affected services in production
environments.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046
* Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Pecan : http://www.pecanpy.org/

Security Notes

2015-04-30T14:54:38Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0048

2015-04-30T14:54:05Z

Nkinder: Created page with "__notoc__ == Glance method filtering does not work under certain conditions == === Summary === Glance is using the Python assert statement for validating the HTTP method typ..."

__notoc__

== Glance method filtering does not work under certain conditions ==

=== Summary ===
Glance is using the Python assert statement for validating the HTTP
method type in its caching middleware for some image endpoints. The
Python documentation states that when optimization is requested
(command line option -O), assert statements will not be evaluated.
This results in a condition where these method validations will not
occur and can allow a specific method to be called with a different
HTTP verb.

=== Affected Services / Software ===
Glance, Icehouse, Juno, Kilo

=== Discussion ===
Glance uses the Python assert statement to validate the HTTP method
for some of the image endpoints in the version 1 and 2 REST interfaces.
In circumstances where glance is being run with Python optimization
enabled (by using the -O command line option), these assert statements
will not be evaluated. In these cases, the HTTP verb is unchecked for
the requested endpoints.

The endpoints and methods affected by this are the following:

* GET on /v1/images/{image_id}
* DELETE on /v1/images/{image_id}
* GET on /v2/images/{image_id}/file
* DELETE on /v2/images/{image_id}

This can lead to access violations in some configurations. For
example, if filtering were occurring in front of the glance API to
restrict queries based on HTTP method and IP address, an attacker
could circumvent this filtering by matching the endpoint regular
expression and providing a different HTTP verb. In this example
an attacker would be able to download or delete images from glance.

Assuming a user were restricted by network filtering to only send
DELETE requests to the glance API endpoint. The user could attempt to
circumvent the filtering by sending a well crafted request to the
endpoint that would actually retrieve the named image. If an image ID
were known to be "12345", then a DELETE request sent to the glance API
endpoint "/v2/images/12345/file" would end up matching the GET URI
pattern. This would retrieve the image from glance, thus exploiting the
filtering.

=== Recommended Actions ===
As of the Kilo-rc1 release of glance, this vulnerability has been
patched. It has also been backported to the stable branch of the Juno
release and will be officially updated in the 2014.2.4 tag of glance.
This will not be fixed for Icehouse.

Kilo deployments should be updated to the rc1 tag. Juno deployments
should be updated to the 2014.2.4 tag. Operators maintaining Icehouse
deployments of glance should consider upgrading to the Juno 2014.2.4
release.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0048
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1414532
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Python assert documentation: https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement
* Python optimize documentation: https://docs.python.org/2/using/cmdline.html#envvar-PYTHONOPTIMIZE
* Glance v1 API: http://developer.openstack.org/api-ref-image-v1.html
* Glance v2 API: http://developer.openstack.org/api-ref-image-v2.html

Security Notes

2015-04-19T18:32:26Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance using assert for method checking in middleware ('''Work in progress''')
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0047

2015-04-19T18:31:46Z

Nkinder: Created page with "__NOTOC__ == Keystone does not validate that identity providers match federation mappings == === Summary === Keystone's OS-FEDERATION extension does not enforce a link betwee..."

__NOTOC__

== Keystone does not validate that identity providers match federation mappings ==
=== Summary ===
Keystone's OS-FEDERATION extension does not enforce a link between an
identity provider and a federation mapping. This can lead to assertions
or claims from one identity provider being used with mappings intended
for use with another identity provider, which could result in users
obtaining access to resources that they are not intended to have.

=== Affected Services / Software ===
Keystone, Juno, Kilo

=== Discussion ===
Keystone's OS-FEDERATION extension allows for a set of environment
variables provided by a trusted identity provider to be used as mapping
inputs to determine group membership (and ultimately role assignment).
Mapping rules are intended to be identity provider specific, as
different identity providers provide their assertions or claims in
different forms.

In the Juno release of Keystone, there is no ability within Keystone
itself to enforce that assertions or claims from an identity provider
are actually being used against a mapping that is associated with that
same identity provider. A malicious user from one trusted identity
provider could access a Keystone federated authentication URL for a
different trusted identity provider. Depending on the content of the
assertions or claims and the mapping rules, this could result in a user
gaining access to resources that they are not intended to access.

Consider an example deployment where Keystone is configured to trust two
identity providers ('idp1' and 'idp2'). The federation mapping for
'idp1' might result in users of the 'devops' group having the 'admin'
role on a specific project. If a user with an assertion or claim from
'idp2' that says they are in the 'devops' group uses the authentication
URL that is associated with 'idp1', they could also be given the 'admin'
role just as if they were a 'devops' user from 'idp1'. This access
should not be allowed.

=== Recommended Actions ===
Even though the Juno release of Keystone does not have the ability to
enforce that an identity provider and a mapping match, it is possible to
configure the frontend webserver that is used to deploy Keystone to
perform this enforcement. Each identity provider supported by Keystone
has its own authentication URL. It is recommended that the webserver
configuration configures its underlying federation plug-ins to
cryptograhically enforce that an identity provider is only valid for
its associated authentication URL.

For example, the SAML protocol uses an asymmetric keypair to sign the
requests and responses that are transmitted between an identity provider
and a service provider (Keystone in our case). When using Apache HTTPD
as a webserver for Keystone, a separate 'Location' directive can be used
for each federated authentication URL. The directives that define the
certificate of the identity provider for the underlying HTTPD module
that is handling the SAML protocol can be defined within the identity
provider specific 'Location' directives. This will ensure that a signed
SAML assertion from one trusted identity provider will only be
successfully validated when used against the appropriate authentication
URL.

Here is an example with the mod_auth_mellon HTTPD module:

<Location /v3/OS-FEDERATION/identity_providers/idp1/protocols/saml2/auth>
AuthType "Mellon"
MellonEnable "auth"
...
MellonIdPMetadataFile /etc/httpd/mellon/idp1-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/idp1/protocols/saml2/auth/mellon
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp2/protocols/saml2/auth>
AuthType "Mellon"
MellonEnable "auth"
...
MellonIdPMetadataFile /etc/httpd/mellon/idp2-metadata.xml
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/idp2/protocols/saml2/auth/mellon
</Location>

In the above example, we have two identity providers ('idp1' and
'idp2'). Each identity provider has their own 'Location' directive,
and the 'MellonIdPMetadataFile' directive that points to the metadata
that contains the certificate of the identity provider is specific to
each 'Location' directive. This configuration will not allow a signed
assertion from 'idp1' to be used against the authentication URL for
'idp2'. An attempt to do so would be rejected by mod_auth_mellon and
would never actually reach Keystone's OS-FEDERATION extention.

It is recommended to read the Keystone federation documentation as well
as the documentation for the HTTPD module that you are using for your
federation method of choice. Some useful links to this documentation
are provided in the references section of this note.

In the Kilo release of Keystone, it is also possible to have Keystone
enforce that an assertion actually comes from the identity provider that
is associated with the authentication URL. This is performed by
comparing an identity provider identifier value from the assertion or
claim with an identifier that is stored as a part of the identity
provider within Keystone.

To enable this functionality, you must set the 'remote_id_attribute'
setting in keystone.conf, which defines the environment variable that
contains the identity provider identifier. You then must add the
identifier value that the 'remote_id_attribute' will contain as one of
the 'remote_ids' values of the associated identity provider in Keystone.
This can be done using the Identity API directly, or via the 'openstack'
command-line utility.

It is recommended that you use a webserver configuration that has
identity provider specific 'Location' directives as described above in
addition to using the new 'remote_ids' checking in the Kilo release.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0047
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1390124
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Keystone Federation Docs : http://docs.openstack.org/developer/keystone/configure_federation.html
* mod_auth_mellon Docs : https://github.com/UNINETT/mod_auth_mellon/wiki
* mod_shib Docs : https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
* mod_auth_openidc Docs : https://github.com/pingidentity/mod_auth_openidc

Security Notes

2015-04-09T14:53:51Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0047|OSSN-0047]] - No validation between client's IdP and Keystone IdP ('''Work in progress''')
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

Security Notes

2015-03-11T18:10:47Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0045

2015-03-11T18:10:07Z

Nkinder:

__NOTOC__

== Vulnerable clients allow a TLS protocol downgrade (FREAK)==

=== Summary ===
Some client-side libraries, including un-patched versions of OpenSSL,
contain a vulnerability which can allow a man-in-the-middle (MITM) to
force a TLS version downgrade. Even though this vulnerability exists in
the client side, an attack known as FREAK is exploitable when TLS
servers offer weak cipher choices. This security note provides guidance
to mitigate the FREAK attack on the server side, so that TLS provides
reasonable security for even un-patched clients.

=== Affected Services / Software ===
Any service using TLS. Depending on the backend TLS library, this
can include many components of an OpenStack cloud:

* OpenStack services
* OpenStack clients
* Web servers (Apache, Nginx, etc)
* SSL/TLS terminators (Stud, Pound, etc)
* Proxy services (HAProxy, etc)
* Miscellaneous services (eventlet, syslog, ldap, smtp, etc)

=== Discussion ===
TLS connections are established by a process known as a TLS handshake.
During this process a client first sends a message to the server known
as "HELLO", where among other things the client lists all of the TLS
encryption ciphers it supports. In the next step, the server responds
with its own "HELLO" packet, in which the server picks one of the cipher
options the client offered. After this the client and server continue on
to securely exchange a secret which becomes a master key.

The FREAK attack exploits a flaw in client logic in which vulnerable
clients don't actually check that the cipher which was selected by the
server was one they had offered in the first place. This creates the
possibility that an attacker on the network somewhere between the client
and server can alter the client's HELLO packet, removing all choices
except for really weak ciphers known as "export grade ciphers". If the
server supports these weak ciphers, it will (regretfully) chose it, as
it appears that this is the only option that the client supports, and
send it back in the server HELLO message.

Export grade ciphers are a legacy of a time when the US government
prohibited the export of cryptographic ciphers which were stronger than
512 bits for asymmetric ciphers and 40 bits for symmetric ciphers. Today
these ciphers are easily and quickly crackable using commodity hardware
or cloud resources.

=== Recommended Actions ===
Since this is a vulnerability in client logic, the best option is to
ensure that all clients update to the latest version of the affected
library. For more details about upgrading OpenSSL please see the link to
the OpenSSL advisory in the "Further discussion" section below. Since it
is unfeasible to assume that all clients have updated, we should also
mitigate this on the TLS server-side.

To mitigate the FREAK attack on the server side, we need to remove
support for any ciphers which are weak. This is to prevent a MITM from
forcing the negotiation of a weak cipher. In particular we need to
remove support for any export grade ciphers, which are especially weak.

The first step is to find what versions your TLS server currently
supports. Two useful solutions exist for this: SSL Server Test at
Qualys SSL Labs can be used to scan any web accessible endpoints, and
SSLScan is a command line tool which attempts a TLS connection to a
server with all possible cipher suites. Please see "tools" below for
links to both.

The specific steps required to configure which cipher suites are
supported in a TLS deployment depend on the software and configuration,
and are beyond the scope of this note. Some good starting places are
provided below in the section: "Resources for configuring TLS options".

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0045
* Original LaunchPad Bug : N/A
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* CVE: CVE-2015-0204 (OpenSSL)
* Further discussion of the issue:
** http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
** https://www.smacktls.com/
** https://www.openssl.org/news/secadv_20150108.txt
* Tools:
** SSLScan: http://sourceforge.net/projects/sslscan/
** SSL Server Test: https://www.ssllabs.com/ssltest/
* Resources for configuring TLS options:
** In OpenStack: http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html

Security Notes

2015-03-02T21:08:15Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0044

2015-03-02T21:07:36Z

Nkinder: Created page with "__NOTOC__ == Older versions of noVNC allow session theft == === Summary === Commonly packaged versions of noVNC allow an attacker to hijack user sessions even when TLS is ena..."

__NOTOC__

== Older versions of noVNC allow session theft ==
=== Summary ===
Commonly packaged versions of noVNC allow an attacker to hijack user
sessions even when TLS is enabled. noVNC fails to set the secure flag
when setting cookies containing an authentication token.

=== Affected Services / Software ===
Nova, when embedding noVNC prior to v0.5

=== Discussion ===
Versions of noVNC prior to October 28, 2013 do not properly set the
secure flag on cookies for pages served over TLS. Since noVNC stores
authentication tokens in these cookies, an attacker who can modify
user traffic can steal these tokens and connect to the VNC session.

Affected deployments can be identified by looking for the "secure"
flag on the token cookie set by noVNC on TLS-enabled installations. If
the secure flag is missing, the installation is vulnerable.

At the time of writing, Debian, Ubuntu and Fedora do not provide
versions of this package with the appropriate patch.

=== Recommended Actions ===
noVNC should be updated to version 0.5 or later. If this is not
possible, the upstream patch should be applied individually.

Upstream patch:
https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0044
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1420942
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* CVE: in progress-http://www.openwall.com/lists/oss-security/2015/02/17/1

Security Notes

2015-02-06T16:37:24Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0043

2015-02-05T12:49:06Z

Nkinder: Created page with "__NOTOC__ == glibc 'GHOST' vulnerability can allow remote code execution == === Summary === A serious vulnerability in the GNU C library (glibc) gethostbyname* functions can..."

__NOTOC__

== glibc 'GHOST' vulnerability can allow remote code execution ==

=== Summary ===
A serious vulnerability in the GNU C library (glibc) gethostbyname*
functions can allow an attacker to perform remote code execution with
the privileges of the application that calls the gethostbyname*
function. The vulnerable functions are used by a vast number of
programs, effectively any time a network socket is used in a linux
system, so the full exploitability of this vulnerability will not
become known immediately.

The publishers of this vulnerability, Qualys, have announced a proof of
concept exploit for the Exim mail server, which bypasses operating
system protections such as ASLR and DEP.

=== Affected Services / Software ===
All versions running on Linux installations with a vulnerable glibc
library.

=== Discussion ===
The GNU C library (glibc), from versions 2.2 to 2.17 inclusive, has
a group of vulnerable functions for hostname/address resolution. There
is a buffer overflow in the __nss_hostname_digits_dots() function which
is used by the gethostbyname*() group of functions. The maximum amount
of memory that can be overwritten is sizeof(char *), i.e. 4 bytes on
typical 32-bit systems and 8 bytes on typical 64-bit systems.

These low-level functions are linked by many other C/C++ programs and
interpreted languages like Python, Perl and Bash, so this vulnerability
is insidious and will appear in cases where it would not at first seem
obvious. There are many cases in a typical Linux installation where
these functions will be used, generally wherever a hostname is resolved
to an IP address, although in newer applications an IPv6 compatible
function, getaddinfo() may be used instead.

This vulnerability could let an attacker remotely execute code in cases
where they control the input to a function that performs hostname
resolution. There are no currently-known OpenStack-specific
exploitation paths associated with this vulnerability. However, the
Python socket library presents a gethostbyname() wrapper around the
glibc function, and there are various ways in which this could be
exposed.

=== Recommended Actions ===
The glibc library is loaded into memory when a process that uses it
starts up, so to fix the vulnerability, glibc should be updated to a
non-vulnerable version (2.18 or newer) and all services which use glibc
should be restarted to replace the version in memory. Due to the number
of places where these vulnerable functions are used, this effectively
means that vulnerable systems must be restarted after updating glibc.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0043
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1415416
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* CVE: CVE-2015-0235
* Source advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

Security Notes

2014-12-18T06:41:10Z

Nkinder:

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0038

2014-12-18T02:06:32Z

Nkinder: Created page with "__NOTOC__ == Suds client subject to cache poisoning by local attacker == === Summary === Suds is a Python SOAP client for consuming Web Services. Its default cache implement..."

__NOTOC__

== Suds client subject to cache poisoning by local attacker ==

=== Summary ===
Suds is a Python SOAP client for consuming Web Services. Its default
cache implementation stores pickled objects to a predictable path in
/tmp. This can be used by a local attacker to redirect SOAP requests via
symlinks or run a privilege escalation or code execution attack.

=== Affected Services / Software ===
Cinder, Nova, Grizzly, Havana, Icehouse

=== Discussion ===
The Python 'suds' package is used by oslo.vmware to interface with SOAP
service APIs and both Cinder and Nova have dependencies on oslo.vmware
when using VMware drivers. By default suds uses an on-disk cache that
places pickle files, serialised Python objects, into a known location
'/tmp/suds'. A local attacker could use symlinks or place crafted files
into this location that will later be deserialised by suds.

By manipulating the content of the cached pickle files, an attacker can
redirect or modify SOAP requests. Alternatively, pickle may be used to
run injected Python code during the deserialisation process. This can
allow the spawning of a shell to execute arbitrary OS level commands
with the permissions of the service using suds, thus leading to possible
privilege escalation.

At the time of writing, the suds package appears largely unmaintained
upstream. However, vendors have released patched versions that do not
suffer from the predictable cache path problem. Ubuntu is known to offer
one such patched version (python-suds_0.4.1-2ubuntu1.1).

=== Recommended Actions ===
The recommended solution to this issue is to disable cache usage in the
configuration as shown:

client.set_options(cache=None)

A fix has been released to oslo.vmware (0.6.0) that disables the use of
the disk cache by default. Cinder and Nova have both adjusted their
requirements to include this fixed version. Deployers wishing to re-enable
the cache should ascertain whether or not their vendor shipped suds package
is susceptible and consider the above advice.

=== Contacts / References ===
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0038
* Original Launchpad Bug : https://bugs.launchpad.net/ossn/+bug/1341954
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg
* Suds: https://pypi.python.org/pypi/suds
* CVE: CVE-2013-2217

Security Notes

2014-12-17T16:17:48Z

Nkinder: /* Published Security Notes */

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker ('''work in progress''')
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

Security Notes

2014-12-17T16:16:54Z

Nkinder:

The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.

For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.

=== Published Security Notes ===
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ("work in progress")
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ("work in progress")
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker ('''work in progress''')
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)

OSSN/OSSN-0042

2014-12-17T01:42:47Z

Nkinder: Created page with "__NOTOC__ == Keystone token scoping provides no security benefit == === Summary === Keystone provides "scoped" tokens that are constrained to use by a single project. A user..."

__NOTOC__
== Keystone token scoping provides no security benefit ==

=== Summary ===
Keystone provides "scoped" tokens that are constrained to use by a
single project. A user may expect that their scoped token can only be
used to perform operations for the project it is scoped to, which is not
the case. A service or other party who obtains the scoped token can use
it to obtain a token for a different authorized scope, which may be
considered a privilege escalation.

=== Affected Services / Software ===
Keystone, Diablo, Essex, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo

=== Discussion ===
This is not a bug in keystone, it's a design feature that some users may
expect to bring security enhancement when it does not. The OSSG is
issuing this security note to highlight the issue.

Many operations in OpenStack will take a token from the user and pass it
to another service to perform some portion of the intended operation.
This token is very powerful and can be used to perform many actions for
the user. Scoped tokens appear to limit their use to the project and
roles they were granted for but can also be used to request tokens with
other scopes. It's important to note that this only works with currently
valid tokens. Once a token expires it cannot be used to gain a new
token.

Token scoping helps avoid accidental leakage of tokens because using
tokens with other services requires the extra step of requesting a new
re-scoped token from keystone. Scoping can help with audit trails and
promote good code practices. There's currently no way to create a
tightly scoped token that cannot be used to request a re-scoped token. A
scoped token cannot be relied upon to restrict actions to only that
scope.

=== Recommended Action ===
Users and deployers of OpenStack must not rely on the scope of tokens
to limit what actions can be performed using them.

Concerned users are encouraged to read (OSSG member) Nathan Kinder's
blog post on this issue and some of the potential future solutions.

=== Contacts / References ===
* Nathan Kinder on Token Scoping : https://blog-nkinder.rhcloud.com/?p=101
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0042
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1341816
* OpenStack Security ML : openstack-security@lists.openstack.org
* OpenStack Security Group : https://launchpad.net/~openstack-ossg

Security/Kilo/Keystone

2014-10-23T17:38:22Z

Nkinder: Created page with "This page documents security related details for the Keystone project in the OpenStack Kilo release. === Implemented Crypto === Keystone doesn't have an home-brewed encryption..."

This page documents security related details for the Keystone project in the OpenStack Kilo release.
=== Implemented Crypto ===
Keystone doesn't have an home-brewed encryption implementations, everything is used from Python Standard libraries or third party libraries.

=== Used Crypto ===
==== Libraries ====
* oauthlib (uses hashlib)
* OpenSSL
* PassLib
* PyCrypto
* Python hashlib
* python-ldap (ultimately uses GnuTLS, NSS, or OpenSSL depending on the platform)
* Requests (for keystoneclient HTTPS usage - '''need to investigate underlying crypto usage''')
** uses stdlib - https://github.com/kennethreitz/requests/blob/master/requests/packages/urllib3/connection.py

==== Encryption Algorithms ====
{| class="wikitable sortable"
|-
! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source
|-
| AES || Memcache backend encryption|| No || PyCrypto ||
* Optionally used for encrypting the token backend.
||
* keystoneclient.middleware.memcache_crypt.py
|-
| RSA || PKI token signing || Yes || OpenSSL ||
* 2048, sha1 defaults
* Configurable via openssl.conf.
* Keys/Certs can be created outside of Keystone and dropped into place.
||
* keystone.common.openssl.py
* keystoneclient.common.cms.py
|}

==== Hashing Algorithms ====
{| class="wikitable sortable"
|-
! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source
|-
| md5 || Token hashing || No || hashlib ||
* Hash is used as an internal identifier in the token backend.
* The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low.
||
* keystoneclient.utils.py
* keystoneclient.common.cms.py
|-
| sha1 || S3 credentials || No || hashlib ||
* Used for signature validation of S3 credentials.
* Required for S3 compatibility, so it can't be configurable.
||
* keystone.contrib.s3.core.py
|-
| sha1 || OAuth1 || No || oauthlib ||
* Used for signature validation of OAuth1 tokens.
* Keystone only uses the HMAC-SHA1 signature for OAuth1 tokens (as described in [http://tools.ietf.org/html/rfc5849 RFC 5849]).
* OAuth support can be disabled.
* Likely uses hashlib for the actual algorithm.
||
* keystone.contrib.oauth1.core.py
* keystone.contrib.oauth1.verifier.py
|-
| sha256 || EC2 tokens || No || hashlib ||
* Required for EC2 compatibility, so it can't be configurable.
||
* keystone.credential.controllers.py
* keystone.common.utils.py
* keystoneclient.contrib.ec2.utils.py
|-
| sha384 || Memcache signing || No || hashlib ||
* Used for signing and verification when memcache encryption is enabled.
||
* keystoneclient.middleware.memcache_crypt.py
|-
| sha512 || Password hashing || No || PassLib ||
* The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000).
||
* keystone.common.utils.py
|}

=== Sensitive Data ===
==== Keys/Certificates ====
* PKI signing key - Protected via filesystem ownership/permissions.
* SSL/TLS key - Protected via filesystem ownership/permissions.
==== Passwords ====
* SSL/TLS must be enabled in Keystone to prevent clients from sending passwords over the network in clear-text.
* Strict password checking is performed prior to hashing. If it is set to true, the operation will fail with an HTTP 403 Forbidden error; if it is set to false, passwords are automatically truncated to the predefined maximum length.
** Configurable via CONF.strict_password_check (default=False)
** Configurable via CONF.identity.max_password_length (default=4096)
* SQL Identity
** Password hashes are stored in SQL database.
** SSL/TLS can be used to protect the connection to the database.
* LDAP Identity
** SSL/TLS must be used for connections to LDAP to prevent Keystone from sending passwords over the network in clear-text.

==== Tokens ====
*Signed tokens are stored in their entirety in one of the following backends:
** KVS
** Memcached
*** Ephemeral storage.
*** Able to use AES encryption and sha384 signing.
** SQL (default)
*** Persistent storage.
***SSL/TLS can be used to protect the connection to the database.
* Expired tokens are not automatically removed from the backend. The "keystone-manage token_flush" command should be used to periodically remove expired tokens (via cron).
=== Potential Improvements ===
* Allow all hashing schemes to be configurable where not restricted by compatibility requirements (such as S3 and EC2)
* The use of md5 for token hashing is the biggest concern, as it's use is discouraged (or disallowed in the case of FIPS). Changes are [https://review.openstack.org/#/c/80401/ in progress] to make this configurable in Juno. The default should be sha256 if possible.
* Allow support for LDAP SASL bind methods(such as DIGEST-MD5 and GSSAPI).
* Allow other forms of external authentication to avoid using passwords (Kerberos, SAML).
=== Notable changes since Juno ===
* ?