Reviewed: https://review.opendev.org/724124
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=ab89ea749013e7f2c46260f68504f5687763e019
Submitter: Zuul
Branch: master
commit ab89ea749013e7f2c46260f68504f5687763e019
Author: Colleen Murphy <colleen.mur...@suse.com>
Date: Thu Apr 16 17:05:43 2020 -0700
Check timestamp of signed EC2 token request
EC2 token requests contain a signature that signs the entire request,
including the access timestamp. While the signature is checked, the
timestamp is not, and so these signed requests remain valid
indefinitely, leaving the token API vulnerable to replay attacks. This
change introduces a configurable TTL for signed token requests and
ensures that the timestamp is actually validated against it.
The check will work for either an AWS Signature v1/v2 'Timestamp'
parameter[1] or the AWS Signature v4 'X-Aws-Date' header or
parameter[2].
Although this technically adds a new feature and the default value of
the feature changes behavior, this change is required to protect
credential holders and therefore must be backported to all supported
branches.
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
Change-Id: Idb10267338b4204b435df233c636046a1ce5711f
Closes-bug: #1872737
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872737
Title:
Keystone doesn't check signature TTL of the EC2 credential auth method
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Bug description:
AWS Signature V4 has a limited TTL for a token signature, used to
perform an authenticated request, usually it is 5 minutes. If there is
a MITM possible, then an attacker can use a sniffed header only within
5 minutes.
Keystone doesn't have a signature TTL check, and if an attacker can
sniff an auth header, this header can be used an unlimited number of
times to reissue an openstack token.
I have an https://github.com/kayrus/ec2auth tool to auth against
keystone using ec2 credentials. If you set a timestamp
(https://godoc.org/github.com/gophercloud/gophercloud/openstack/identity/v3/extensions/ec2tokens#AuthOptions)
to "time.Time{}" here:
https://github.com/kayrus/ec2auth/blob/master/pkg/main.go#L40,
keystone will identify this token as a valid one and return a valid
openstack token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872737/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
