Source: swauth Version: 1.2.0-3 Severity: grave Tags: security upstream Justification: user security hole
Refs: https://bugs.launchpad.net/swift/+bug/1655781 CVE-2017-16613 Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used. Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file Steps to trigger the issue: 1. Enable `swauth` authentication middleware 2. Retieve token using: ``` swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v ``` Logs written when the above command is excecuted has the token as well: ``` Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"; "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0 Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0 Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea) ``` 3. After retrieving the token from the logfile, I was able to execute this command as below, ``` curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" ``` The output obtained: ``` HTTP/1.1 200 OK Content-Length: 2 Accept-Ranges: bytes X-Timestamp: 1484167500.58887 X-Account-Bytes-Used: 0 X-Account-Container-Count: 0 Content-Type: application/json; charset=utf-8 X-Account-Object-Count: 0 X-Trans-Id: txbd83d5254a404647bb086-005876ba2a X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a Date: Wed, 11 Jan 2017 23:05:14 GMT ``` As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue. [1]. https://github.com/openstack/swauth -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
