Swift object/proxy server writing Auth Token to log file (swauth)

Bug #1655781 reported by Rahul U Nair
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Invalid
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
Swift Authentication
In Progress
High
Pavel Kvasnička

Bug Description

Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.

Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file

Steps to trigger the issue:

1. Enable `swauth` authentication middleware
2. Retieve token using:

```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```

Logs written when the above command is excecuted has the token as well:

```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```

3. After retrieving the token from the logfile, I was able to execute this command as below,

```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```

The output obtained:

```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```

As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.

[1]. https://github.com/openstack/swauth

CVE References

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

Minor correction to the bug description: swauth is not a deliverable of any official OpenStack project team, it merely shares our Git namespace because its development is hosted within our community infrastructure. We extend use of our developer community infrastructure to any projects within our ecosystem who wish to make use of the same workflows and hosting provided to official OpenStack software.

Revision history for this message
Jeremy Stanley (fungi) wrote :

I've added swauth as an affected project on this report, hoping their bug team might have some feedback.

Revision history for this message
Ondřej Nový (onovy) wrote :

Swauth stores tokens directly in swift (in object AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0). I think other auth middlewares are not affected.

Only solution is to hash token again before storing them in Swift. I will look into it.

Ondřej Nový (onovy)
Changed in swauth:
assignee: nobody → Pavel Kvasnička (pavel-kvasnicka)
status: New → In Progress
Revision history for this message
Ondřej Nový (onovy) wrote :

CVE-2017-16613

Ondřej Nový (onovy)
information type: Private Security → Public Security
Revision history for this message
Ondřej Nový (onovy) wrote :
Changed in swauth:
importance: Undecided → High
Changed in swauth:
status: In Progress → Confirmed
status: Confirmed → In Progress
Revision history for this message
Ondřej Nový (onovy) wrote :
Jeremy Stanley (fungi)
description: updated
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Jeremy Stanley (fungi) wrote :

I've gone ahead and marked the OpenStack Security Advisory task to Won't Fix. Since swauth isn't an official OpenStack deliverable, this is probably closest to report class C2 for the OpenStack VMT (A vulnerability, but not in OpenStack supported code, e.g., in a dependency): https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Tim Burke (1-tim-z)
Changed in swift:
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.