chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[keystone] Keystone Admin API - Unencrypted Submission of Credentials

Open claco opened this issue 10 years ago • 1 comments

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Keystone Admin API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:35357

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/keystone/attributes/default.rb
162:default["keystone"]["services"]["admin-api"]["port"] = "35357"              # node_attribute

cookbooks/keystone/README.md
81:      auth_port "35357"
122:      auth_port "35357"
164:      auth_port "35357"
176:      auth_port "35357"
215:      auth_port "35357"
258:      auth_port "35357"
264:      endpoint_adminurl "http://192.168.1.10:35357/v2.0"
297:      auth_port "35357"

cookbooks/keystone/templates/default/patches/ldap_user_enabled_default_config.py.1:2013.1-0ubuntu1~cloud0.erb
187:    register_int('admin_port', default=35357)

cookbooks/osops-utils/libraries/ip_location.rb
31:  #   "port" => 35357,
34:  #   "uri" => "http://10.1.0.2:35357/v2.0"
39:  # { "network" => "management", "port" => 35357 }

claco avatar Mar 17 '14 18:03 claco

There are some options here:

  1. Use the native SSL config options to ensure that keystone listens on SSL for all services;
  2. Use an Apache/wsgi configuration. This is a tested configuration in the Openstack CI Infrastructure, so this is a worthy option.
  3. Use Apache to reverse proxy keystone on all ports and SSL encrypt the traffic. This has been working well for us.

odyssey4me avatar Mar 26 '14 12:03 odyssey4me