Bug#882314: marked as done (swauth: Swift object/proxy server writing swauth Auth Token to log file (CVE-2017-16613))

Thu, 23 Nov 2017 05:04:14 -0800 

Your message dated Thu, 23 Nov 2017 13:02:08 +0000
with message-id <[email protected]>
and subject line Bug#882314: fixed in swauth 1.2.0-2+deb9u1
has caused the Debian Bug report #882314,
regarding swauth: Swift object/proxy server writing swauth Auth Token to log 
file (CVE-2017-16613)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
882314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882314
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: swauth
Version: 1.2.0-3
Severity: grave
Tags: security upstream
Justification: user security hole

Refs: https://bugs.launchpad.net/swift/+bug/1655781
CVE-2017-16613

Auth tokens logged by proxy and object server if the swauth[1] authentication 
middleware is used.

Swift object store and proxy server is saving tokens retrieved from middleware 
authentication mechanism (swauth) to log file

Steps to trigger the issue:

1. Enable `swauth` authentication middleware
2. Retieve token using:

```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```

Logs written when the above command is excecuted has the token as well:

```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 
+0000] "GET 
/sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 
"GET 
http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0";
 "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET 
/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - 
python-swiftclient-3.2.1.dev9%20Swauth - - 194 - 
txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 
1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 
22:51:22] "GET 
/sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 
200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```

3. After retrieving the token from the logfile, I was able to execute this 
command as below,

```
curl -i 
http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json 
-X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: 
AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```

The output obtained:

```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```

As, swift has the ability to add any middleware for authentication, swauth is 
officially part of OpenStack project[1], the token should not be logged. I 
suspect this issue would be there for any authentication middleware and is a 
security issue.

[1]. https://github.com/openstack/swauth

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: swauth
Source-Version: 1.2.0-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
swauth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Nový <[email protected]> (supplier of updated swauth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 21 Nov 2017 12:34:33 +0100
Source: swauth
Binary: swauth swauth-doc
Architecture: source all
Version: 1.2.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Ondřej Nový <[email protected]>
Description:
 swauth     - alternative authentication system for Swift
 swauth-doc - alternative authentication system for Swift - documentation
Closes: 882314
Changes:
 swauth (1.2.0-2+deb9u1) stretch-security; urgency=high
 .
   * Hash token before storing it in Swift
     (CVE-2017-16613, Closes: #882314)
Checksums-Sha1:
 bae549c3e41313326ee7da584a85abbdc0537744 2300 swauth_1.2.0-2+deb9u1.dsc
 badeff6834d6395040adf97d8cb35c5b9952c306 140060 swauth_1.2.0.orig.tar.xz
 49058e7cb91ce41d32bff5ae88e7a9523aac571e 11320 
swauth_1.2.0-2+deb9u1.debian.tar.xz
 4707ab0f20c450f3ce4a91dbef0846c380bd7645 69312 
swauth-doc_1.2.0-2+deb9u1_all.deb
 d586b6b5ca52c2575eae45e4e5d85ff29ebd7f0c 36138 swauth_1.2.0-2+deb9u1_all.deb
 82607b8c893407d45d77084559f1ecfcd79b1c80 10686 
swauth_1.2.0-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 7ecf5b225ae67dfaf207f914eadf0d78a0be35ace082727f88a6c6c8b9015654 2300 
swauth_1.2.0-2+deb9u1.dsc
 05a715d48fe916d0a68f307f6dc38d14ffae488c6f5822b3cd584d91d5b418df 140060 
swauth_1.2.0.orig.tar.xz
 100b15a0a97576163d5270a0a01546505540baae4ad4d8ab855c0a19acbe3827 11320 
swauth_1.2.0-2+deb9u1.debian.tar.xz
 2403717c976ab5fb5c95ee70b2783784b7a7bce23cf95a76846f0b59731ec476 69312 
swauth-doc_1.2.0-2+deb9u1_all.deb
 eea8bf502144d270518b6e8ab4e41875fadefd22ddc9203bda4584f50196bc2d 36138 
swauth_1.2.0-2+deb9u1_all.deb
 287becdf35a487d24a4763399e6fac361826c77ca6330dbab8526718f6cfb20e 10686 
swauth_1.2.0-2+deb9u1_amd64.buildinfo
Files:
 0fcde5113f0856ef14a064bde4fd8212 2300 net optional swauth_1.2.0-2+deb9u1.dsc
 9a5d39883ea8510f879507cedb015bff 140060 net optional swauth_1.2.0.orig.tar.xz
 b4fb7cf917b10d26b99cf9994dada211 11320 net optional 
swauth_1.2.0-2+deb9u1.debian.tar.xz
 63fa0e6fc2d9b84d9e9945587331e790 69312 doc optional 
swauth-doc_1.2.0-2+deb9u1_all.deb
 323c38eb185089b537edbc15be79acee 36138 net optional 
swauth_1.2.0-2+deb9u1_all.deb
 17a98043c38ce213177a30ced01e2f3b 10686 net optional 
swauth_1.2.0-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAloULxoACgkQNXMSVZ0e
BkvtgxAAqY//xGWjEI2jnSUzW/TRRoHcgcobYuETPyDlff833ENWgNxqKjdplQP+
fe78icCwR+ztvmjsCMzUViYlHa6UztFRaH13Xeimwg02g3XPEhPdLtEDcyEyjWbd
JtbPHO6Tvf6956pGkXp4htiEh5uzvEHSBlfTyCcKk2ojljIcYsDfnBWLIYf0OMUM
9yesp/A7Brg7ltaVPr5QuK72ssvm19WBqYf1W4ajQWYyK8NqRW5Sd16PPAi8YrK2
JCidY+1jcCEP+OC6uR3s4J40lywHG5R8LFIko62Z7B5x4FnpypXsLQSubPthbj0U
O9L0YW0DIjsS8L4PEQoZzW9c0T8Kh2lpJ3aANeSvarFu76tdB+DmOflW3o+M6L4Q
VvPi6M4c2vq2QItGLuA5Yg/hvXQ2Ay6R8Ek5syyfN23Qb44j4vjFcAREn+rg9zIe
xoguMLuLh4fdUZVq+27zybtrTjlGDET/sOBH5MeA6pW5/06HoLaZUuS1Jb1D1Emz
DbLfvkaAC5DC1+TjNx9sLkkkJuuA1+Tfe6OEpz4YuQ5E7K0y2EQGNkRlXU5s1rdO
ngp8G11/+Iu6QYRVANab9TZfmtIjYzd9xK+xRbjJgTQST9tlBt4mo7FApMXsDVM8
S4wS+sHuGBX+1AzHp8aI44Xvq9HlQypHDcfEDmQfO0/2SyhGDJ0=
=1iTi
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to