OpenStack Keystone Credentials API漏洞CVE-2019-19687指的是什么
本篇文章給大家分享的是有關(guān) OpenStack Keystone Credentials API漏洞CVE-2019-19687指的是什么,小編覺得挺實(shí)用的�,因此分享給大家學(xué)習(xí),希望大家閱讀完這篇文章后可以有所收獲�,話不多說,跟著小編一起來看看吧��。
0x00 概述
近期,國外研究員Daniel 'f0o' Preussker報(bào)告了OpenStack組件Keystone Credentials API中的一處缺陷�。當(dāng)Keystone 的部署配置中將enforce_scope設(shè)置為False時(shí),list credentials接口的相關(guān)過濾操作失效�,導(dǎo)致在操作的project中擁有角色的用戶可以獲取該project下的所有用戶credentials,造成信息泄露��。
0x01 影響范圍
Keystone <= 15.0.0 and <=16.0.0
0x02 漏洞修復(fù)
相關(guān)修復(fù)代碼已經(jīng)合并到主分支�,詳見Commit。
0x03 漏洞分析
該漏洞產(chǎn)生的源于將enforce_scope的配置值引入了憑據(jù)結(jié)果過濾的操作判斷邏輯中��,當(dāng)其取False時(shí)造成對應(yīng)處理邏輯繞過�,進(jìn)而造成信息泄露 。補(bǔ)丁的修復(fù)也是對該部分邏輯進(jìn)行了變更��,詳細(xì)如下:
# /keystone/api/credentials.py
def _list_credentials(self):
filters = ['user_id', 'type']
if not self.oslo_context.system_scope:
target = {'credential': {'user_id': self.oslo_context.user_id}}
else:
target = None
ENFORCER.enforce_call(action='identity:list_credentials',
filters=filters, target_attr=target)
hints = self.build_driver_hints(filters)
refs = PROVIDERS.credential_api.list_credentials(hints)
# If the request was filtered, make sure to return only the
# credentials specific to that user. This makes it so that users with
# roles on projects can't see credentials that aren't theirs.
- if (not self.oslo_context.system_scope and
- CONF.oslo_policy.enforce_scope):
- filtered_refs = []
- for ref in refs:
- if ref['user_id'] == target['credential']['user_id']:
- filtered_refs.append(ref)
- refs = filtered_refs
+ filtered_refs = []
+ for ref in refs:
+ # Check each credential again to make sure the user has access to
+ # it, either by owning it, being a project admin with
+ # enforce_scope=false, being a system user, or having some other
+ # custom policy that allows access.
+ try:
+ cred = PROVIDERS.credential_api.get_credential(ref['id'])
+ ENFORCER.enforce_call(
+ action='identity:get_credential',
+ target_attr={'credential': cred}
+ )
+ filtered_refs.append(ref)
+ except exception.Forbidden:
+ pass
+ refs = filtered_refs
refs = [self._blob_to_json(r) for r in refs]
return self.wrap_collection(refs, hints=hints)漏洞成因較為簡單��,但可以借此一窺Keystone API以及OpenStak背后的一些底層組件以及處理邏輯:
Oslo 維護(hù)了一套公共庫��,實(shí)現(xiàn)了OpenStack各項(xiàng)目中用到的共有功能��,避免了各項(xiàng)目重復(fù)造輪子�。 產(chǎn)生本次漏洞的enforce_scope選項(xiàng)即為其中的oslo_policy所需的配置項(xiàng),該庫為OpenStack各項(xiàng)目中基于角色的訪問控制(RBAC: Role-Based Access Control)功能提供實(shí)施策略的支持�。具體地,enforce_scope對應(yīng)于請求驗(yàn)證過程中對特定異常處理的控制(請求與scope_type允許范圍不匹配時(shí)�,拋出異?;蛴浫罩荆?。
oslo.policy通過以下兩個類實(shí)現(xiàn)各項(xiàng)功能支持:
這兩個類也對應(yīng)oslo.policy的兩個入口點(diǎn):oslo.policy.policies和oslo.policy.enforcer
當(dāng)服務(wù)發(fā)起一定操作時(shí)�,由Enforce加載并執(zhí)行Policy,完成對操作的鑒權(quán)和訪問控制��。
如下為Credentials API中list_credentials的一個oslo_policy.policy.DocumentedRuleDefault(繼承RuleDefault)實(shí)例��,記錄了一個policy enforcement的相關(guān)策略:
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_credentials',
check_str=base.SYSTEM_READER_OR_CRED_OWNER,
scope_types=['system', 'project'], # scope of the operation
description='List credentials.',
operations=[{'path': '/v3/credentials',
'method': 'GET'}],
deprecated_rule=deprecated_list_credentials,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.STEIN
),其中:
name: policy名稱
check_str: policy的策略規(guī)則表達(dá)式��。
scope_types: 規(guī)定了operate的作用范圍��。策略執(zhí)行階段��,會將此值與請求中token對應(yīng)的scope進(jìn)行比對�,進(jìn)行控制��。
description: 描述
operations: 操作屬性
deprecated_rule: 用于 Policy Deprecation Managerment��,比如對舊名的替換�。
deprecated_reason: 棄用原因
deprecated_since: 棄用版本節(jié)點(diǎn)
以上就是 OpenStack Keystone Credentials API漏洞CVE-2019-19687指的是什么,小編相信有部分知識點(diǎn)可能是我們?nèi)粘9ぷ鲿姷交蛴玫降?。希望你能通過這篇文章學(xué)到更多知識。更多詳情敬請關(guān)注億速云行業(yè)資訊頻道��。
