I'm going to mark this as invalid. It is recommended to add a rate-
limiter in-front of the openstack services if needed. Ideally Keystone
could support such a bit of software, but it is largely out-of-scope
(can be supplied by the fronting webservers e.g. apache and
mod_ratelimit)
** Changed in: keystone
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1548580
Title:
[FG-VD-16-010] Openstack Dashboard Brute Force Vulnerability
Notification
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Identity (keystone):
Invalid
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Vulnerability Notification
February 22, 2016
Tracking Case #: FG-VD-16-010
Dear Openstack,
The following information pertains to information discovered by
Fortinet's FortiGuard Labs. It has been determined that a
vulnerability exists in Openstack Dashboard module. To streamline the
disclosure process, we have created a preliminary advisory which you
can find below. This upcoming advisory is purely intended as a
reference, and does not contain sensitive information such as proof of
concept code.
As a mature corporation involved in security research, we strive to
responsibly disclose vulnerability information. We will not post an
advisory until we determine it is appropriate to do so in co-
ordination with the vendor unless a resolution cannot be reached. We
will not disclose full proof of concept, only details relevant to the
advisory.
We look forward to working closely with you to resolve this issue, and
kindly ask for your co-operation during this time. Please let us know
if you have any further questions, and we will promptly respond to
address any issues.
If this message is not encrypted, it is because we could not find your
key to do so. If you have one available for use, please notify us and
we will ensure that this is used in future correspondence. We ask you
use our public PGP key to encrypt and communicate any sensitive
information with us. You may find the key on our FortiGuard center at:
http://www.fortiguard.com/pgp_key.html.
Type of Vulnerability & Repercussions:
Brute Force
Affected Software:
Ubuntu 14.04.3 with latest repository installed
# apt-get install software-properties-common
# add-apt-repository cloud-archive:liberty
Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html
Credits:
This vulnerability was discovered by Fortinet's FortiGuard Labs.
Proof of Concept/How to Reproduce:
Run brute force attack against the Openstack dashboard using any user
and password. Following is the login packet:
###########################################################################
POST /horizon/auth/login/ HTTP/1.1
Host: 10.0.0.11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101
Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.11/horizon/auth/login/
Cookie: csrftoken=plZbX8UMSn9jziJMfhHmC739KXYg8ANv;
login_region="http://controller:5000/v2.0";
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
csrfmiddlewaretoken=plZbX8UMSn9jziJMfhHmC739KXYg8ANv&fake_email=demo&fake_password=admin123®ion=http%3A%2F%2Fcontroller%3A5000%2Fv2.0&username=test&password=zxcvbnm
###########################################################################
Notes:
1) Replace the above csrfmiddlewaretoken with a valid csrftoken in
initial brute force attack. Valid csrftoken can be got from the response of
http://10.0.0.11/horizon/auth/login/.
2) Openstack dashboard module doesn't have brute force attack detection
and protection.
Additional Information:
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1548580/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
