yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1901891] Re: Issues regarding application credentials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1901891@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Feb 2021 20:49:26 -0000
Reply-to: Bug 1901891 <1901891@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Given nobody has objected to the proposed classifications in my comment
#2 from October, I'll go ahead and mark our security advisory task Won't
Fix for this. We can revisit the decision if anyone disagrees.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1901891

Title:
  Issues regarding application credentials

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  While looking into the application credential API we came across
  several issues. Since they are all closely related I will file them
  under this issue:

  - No secret strength requirements. To configure a password strength
  requirement for users, one can use `password_regex`. However, this is
  not possible for application credentials, which makes it possible to
  create a credentials with the secret 'a':

  $ openstack application credential create test-secret-strength --secret a
  +--------------+----------------------------------+
  | Field        | Value                            |
  +--------------+----------------------------------+
  | description  | None                             |
  | expires_at   | None                             |
  | id           | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
  | name         | test-secret-strength             |
  | project_id   | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
  | roles        | member reader                    |
  | secret       | a                                |
  | system       | None                             |
  | unrestricted | False                            |
  | user_id      | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
  +--------------+----------------------------------+

  To attack this, you'd still need to know the ID, but combined with
  https://bugs.launchpad.net/keystone/+bug/1901207 the impact of this
  issue is increased.

  - No lockout feature. For normal login, the settings
  `lockout_failure_attempts` and `lockout_duration` are used. These do
  not affect the application credential API. This increases the attack
  surface unnecessarily in my opinion. Combined with weak secrets and
  https://bugs.launchpad.net/keystone/+bug/1901207 the probability of a
  successful attack is increased.

  - Only part of secret is verified. It looks like only the first 72
  characters of the secret of an application credential are used to
  verify it. Characters after that are not used in the verification. The
  default length of a secret seems to be 86 characters. Even though
  brute forcing 72 characters is still pretty impossible, this doesn't
  sound like intended behaviour to me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1901891/+subscriptions