yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1872737] Re: [OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE-2020-12692)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1872737@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Aug 2020 14:27:08 -0000
Reply-to: Bug 1872737 <1872737@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872737

Title:
  [OSSA-2020-003] Keystone doesn't check signature TTL of the EC2
  credential auth method (CVE-2020-12692)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  AWS Signature V4 has a limited TTL for a token signature, used to
  perform an authenticated request, usually it is 5 minutes. If there is
  a MITM possible, then an attacker can use a sniffed header only within
  5 minutes.

  Keystone doesn't have a signature TTL check, and if an attacker can
  sniff an auth header, this header can be used an unlimited number of
  times to reissue an openstack token.

  I have an https://github.com/kayrus/ec2auth tool to auth against
  keystone using ec2 credentials. If you set a timestamp
  (https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions)
  to "time.Time{}" here:
  https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40,
  keystone will identify this token as a valid one and return a valid
  openstack token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872737/+subscriptions