yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2102096] Re: When MFA rule set contains a part that is composed of unavailable methods only, all available auth methods are allowed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <2102096@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Mar 2025 17:45:39 -0000
Reply-to: Bug 2102096 <2102096@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

As discussed above, this bug report is now public. Feel free to push
fix(es) into Gerrit at your convenience.

** Description changed:

- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2025-06-10 and will be made
- public by or on that date even if no fix is identified.
- 
- --
- 
  Assume that there is a user whose MFA rule like below. And unknown-
  method-1 and unknown-method-2 are unavailable auth method (the reason of
  the unavailablility does not matter here).
  
  "options": {
    "multi_factor_auth_enabled": true,
    "multi_factor_auth_rules": [
      ["password", "totp"],
      ["unknown-method-1", "unknown-method-2"]
    ]
  }
  
  Then, the user can authenticate with any combinations of methods that
  are not listed in the rule, in particular, only password or only totp. I
  guess this is not intended behavior.
  
  In code: https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494
  when checking the rule ["unknown-method-1", "unknown-method-2"], r_set becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True and any auth_method can pass the check.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2102096

Title:
  When MFA rule set contains a part that is composed of unavailable
  methods only, all available auth methods are allowed

Status in OpenStack Identity (keystone):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Assume that there is a user whose MFA rule like below. And unknown-
  method-1 and unknown-method-2 are unavailable auth method (the reason
  of the unavailablility does not matter here).

  "options": {
    "multi_factor_auth_enabled": true,
    "multi_factor_auth_rules": [
      ["password", "totp"],
      ["unknown-method-1", "unknown-method-2"]
    ]
  }

  Then, the user can authenticate with any combinations of methods that
  are not listed in the rule, in particular, only password or only totp.
  I guess this is not intended behavior.

  In code: https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494
  when checking the rule ["unknown-method-1", "unknown-method-2"], r_set becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True and any auth_method can pass the check.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2102096/+subscriptions