Bug#882314: marked as done (swauth: Swift object/proxy server writing swauth Auth Token to log file (CVE-2017-16613))

[Debian Bug Tracking System]

Your message dated Tue, 21 Nov 2017 11:52:53 +0000
with message-id <e1eh76j-0004bi...@fasolo.debian.org>
and subject line Bug#882314: fixed in swauth 1.2.0-4
has caused the Debian Bug report #882314,
regarding swauth: Swift object/proxy server writing swauth Auth Token to log 
file (CVE-2017-16613)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882314
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: swauth
Version: 1.2.0-3
Severity: grave
Tags: security upstream
Justification: user security hole

Refs: https://bugs.launchpad.net/swift/+bug/1655781
CVE-2017-16613

Auth tokens logged by proxy and object server if the swauth[1] authentication 
middleware is used.

Swift object store and proxy server is saving tokens retrieved from middleware 
authentication mechanism (swauth) to log file

Steps to trigger the issue:

1. Enable `swauth` authentication middleware
2. Retieve token using:

```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```

Logs written when the above command is excecuted has the token as well:

```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 
+0000] "GET 
/sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 
"GET 
http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0";
 "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET 
/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - 
python-swiftclient-3.2.1.dev9%20Swauth - - 194 - 
txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 
1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 
22:51:22] "GET 
/sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 
200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```

3. After retrieving the token from the logfile, I was able to execute this 
command as below,

```
curl -i 
http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json 
-X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: 
AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```

The output obtained:

```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```

As, swift has the ability to add any middleware for authentication, swauth is 
officially part of OpenStack project[1], the token should not be logged. I 
suspect this issue would be there for any authentication middleware and is a 
security issue.

[1]. https://github.com/openstack/swauth

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: swauth
Source-Version: 1.2.0-4

We believe that the bug you reported is fixed in the latest version of
swauth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Nový <on...@debian.org> (supplier of updated swauth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 21 Nov 2017 12:24:54 +0100
Source: swauth
Binary: swauth swauth-doc
Architecture: source
Version: 1.2.0-4
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Ondřej Nový <on...@debian.org>
Description:
 swauth     - alternative authentication system for Swift
 swauth-doc - alternative authentication system for Swift - documentation
Closes: 882314
Changes:
 swauth (1.2.0-4) unstable; urgency=high
 .
   [ Daniel Baumann ]
   * Updating vcs fields.
   * Updating copyright format url.
   * Updating maintainer field.
   * Running wrap-and-sort -bast.
   * Removing gbp.conf, not used anymore or should be specified in the
     developers dotfiles.
   * Updating standards version to 4.1.0.
 .
   [ Ondřej Nový ]
   * Hash token before storing it in Swift
     (CVE-2017-16613, Closes: #882314)
Checksums-Sha1:
 5ffcb4ebf43a7b81b4f8df65bfa7fe36a08dd762 2265 swauth_1.2.0-4.dsc
 4eb71cd1308609ad83c8c0ab9809c37049dc0bcf 11396 swauth_1.2.0-4.debian.tar.xz
 cd108fd1bd8add6f46fbb0a443419468d03796ba 10835 swauth_1.2.0-4_amd64.buildinfo
Checksums-Sha256:
 b32ee396e72c2aec97c41a78111d1a54a18111b4943889c6703a16187509f99d 2265 
swauth_1.2.0-4.dsc
 e7f24e88eaa31bcb0efedaa8b1d72c6a51a08bf9b216ccc42dc0b2c3132ba904 11396 
swauth_1.2.0-4.debian.tar.xz
 5c9ece085ec03265b522d69eb45d7a14e21c9bd0a4367aeb468ca73f8da69b3e 10835 
swauth_1.2.0-4_amd64.buildinfo
Files:
 19ce798c784df0c51d070128eded93d3 2265 net optional swauth_1.2.0-4.dsc
 8afded608042f4c6bd433e065515ce29 11396 net optional 
swauth_1.2.0-4.debian.tar.xz
 9560391d6aef418132fd2ad4e0442240 10835 net optional 
swauth_1.2.0-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAloUDhAACgkQNXMSVZ0e
Bks6shAArBmVZJTotQh3T5PEXOh7VjNkkpHgk+Z8+JALSZv8N7FuwyLBZ3Rw8C1S
Ai9YXwysqZsFks9epA8k1j88K2OUPOZD6LOOgtQOeaYKvR5djcAHlxGtlQ92tZ/c
Q8O3lc45oWm5aCka1nB4rpePgz2CUaBYLDdt1Ar8vIO33KFni9oB5LcjSmq6qaNX
IhJydscFI4fe3EuFNwQz5ivKiVb1GezkRpRZNK2/4MIpnuSRE0xr7c8IFvU5O7HH
bcHueqe8mazPisGXGwe29a6Xb2bDhoPSkluwJ8ImNBiXLBf+FmOXm6C9pMSsyUlJ
1fM4n1Vpx7ZjqFD+hSVdR9PneyMdE4J8NZM1t0JNMGNaVjaIu0Kwbd1P5DBJFt6d
HtUiCzkzA5bn94PwwV97+KhGulunI/+xQQguy7mmGojJqskfndT1ijKk3hy6Xy3A
nnyTrXYCS8q4BW1NlRqz2MS79W49tE8fXpvLtdHnewkCtzsGtY1l+PnHWYx6z9xX
CVYyEfyOaC5V91O9dVJyYWWDmkkjzKd4rF7AZLIRmg4wYg9msdJciaqLiOK3G62C
IgDRbKJY769TF99/PNzNZVxr1IWj4zNSOIJUSi61cT4RXA1E8pBGMm0aM5HB2tsB
PhdSIkDtjAGiTVjJ5ZAdiXy6YlnPGZtHI95r30qTvBefPoGcLTg=
=VIcJ
-----END PGP SIGNATURE-----

--- End Message ---