As discussed above, this bug report is now public. Feel free to push
fix(es) into Gerrit at your convenience.
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2025-06-10 and will be made
- public by or on that date even if no fix is identified.
-
- --
-
Assume that there is a user whose MFA rule like below. And unknown-
method-1 and unknown-method-2 are unavailable auth method (the reason of
the unavailablility does not matter here).
"options": {
"multi_factor_auth_enabled": true,
"multi_factor_auth_rules": [
["password", "totp"],
["unknown-method-1", "unknown-method-2"]
]
}
Then, the user can authenticate with any combinations of methods that
are not listed in the rule, in particular, only password or only totp. I
guess this is not intended behavior.
In code:
https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494
when checking the rule ["unknown-method-1", "unknown-method-2"], r_set
becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True
and any auth_method can pass the check.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2102096
Title:
When MFA rule set contains a part that is composed of unavailable
methods only, all available auth methods are allowed
Status in OpenStack Identity (keystone):
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Assume that there is a user whose MFA rule like below. And unknown-
method-1 and unknown-method-2 are unavailable auth method (the reason
of the unavailablility does not matter here).
"options": {
"multi_factor_auth_enabled": true,
"multi_factor_auth_rules": [
["password", "totp"],
["unknown-method-1", "unknown-method-2"]
]
}
Then, the user can authenticate with any combinations of methods that
are not listed in the rule, in particular, only password or only totp.
I guess this is not intended behavior.
In code:
https://opendev.org/openstack/keystone/src/tag/26.0.0/keystone/auth/core.py#L494
when checking the rule ["unknown-method-1", "unknown-method-2"], r_set
becomes an empty set thus `set(auth_method).issuperset(r_set)` is always True
and any auth_method can pass the check.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2102096/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
