This was assigned CVE-2019-19687 and was fixed via https://usn.ubuntu.com/4262-1/ in Ubuntu.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19687 ** Changed in: keystone (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all users credentials Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Security Advisory: Fix Released Status in keystone package in Ubuntu: Fix Released Bug description: Tested against Stein and Train. # User creating a credential, i.e totp or similar $ OS_CLOUD=1 openstack token issue | project_id | c3caf1b55bb84b78a795fd81838e5160 | user_id | 9971b0f13d2d4a578212d028a53c3209 $ OS_CLOUD=1 openstack credential create --type test 9971b0f13d2d4a578212d028a53c3209 test-data $ OS_CLOUD=1 openstack credential list +----------------------------------+------+----------------------------------+-----------+------------+ | ID | Type | User ID | Data | Project ID | +----------------------------------+------+----------------------------------+-----------+------------+ | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None | +----------------------------------+------+----------------------------------+-----------+------------+ # Different User but same Project $ OS_CLOUD=2 openstack token issue | project_id | c3caf1b55bb84b78a795fd81838e5160 | user_id | 6b28a0b073fc4ac7843f33190ebc5c3c $ OS_CLOUD=2 openstack credential list +----------------------------------+------+----------------------------------+-----------+------------+ | ID | Type | User ID | Data | Project ID | +----------------------------------+------+----------------------------------+-----------+------------+ | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None | +----------------------------------+------+----------------------------------+-----------+------------+ # Different User and Different Project $ OS_CLOUD=3 openstack token issue | project_id | d43f20ae5a7e4f36b701710277384401 | user_id | 2e48f1a7d1474391a826a2b9700e5949 $ OS_CLOUD=3 openstack credential list +----------------------------------+------+----------------------------------+-----------+------------+ | ID | Type | User ID | Data | Project ID | +----------------------------------+------+----------------------------------+-----------+------------+ | 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | 9971b0f13d2d4a578212d028a53c3209 | test-data | None | +----------------------------------+------+----------------------------------+-----------+------------+ As shown anyone who's authenticated can retrieve any credentials including their 'secret'. This is a rather severe information disclosure vulnerability and completely defies the purpose of TOTP or MFA as these credentials are not kept secure or private whatsoever. If Auth-rules are configured allow login with only 'topt' it would be extremely easy to assume a different user's identity. A CVE should be issued for this. I can take care of that paperwork. Versions affected and tested: Train/ubuntu: $ dpkg -l | grep keystone ii keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Daemons ii keystone-common 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Common files ii python-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 2.7 ii python-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 2.x ii python-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 2.x ii python3-keystone 2:16.0.0-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library ii python3-keystoneauth1 3.17.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x ii python3-keystoneclient 1:3.21.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x ii python3-keystonemiddleware 7.0.1-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x Stein/RHEL: $ rpm -qa | grep keystone python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
