Debian Bug report logs -
#882314
swauth: Swift object/proxy server writing swauth Auth Token to log file (CVE-2017-16613)
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, onovy@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#882314; Package src:swauth.
(Tue, 21 Nov 2017 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Ondřej Nový" <novy@ondrej.org>:
New Bug report received and forwarded. Copy sent to onovy@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 21 Nov 2017 11:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: swauth
Version: 1.2.0-3
Severity: grave
Tags: security upstream
Justification: user security hole
Refs: https://bugs.launchpad.net/swift/+bug/1655781
CVE-2017-16613
Auth tokens logged by proxy and object server if the swauth[1] authentication middleware is used.
Swift object store and proxy server is saving tokens retrieved from middleware authentication mechanism (swauth) to log file
Steps to trigger the issue:
1. Enable `swauth` authentication middleware
2. Retieve token using:
```
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
```
Logs written when the above command is excecuted has the token as well:
```
Jan 11 22:51:22 ubuntu-xenial object-6030: 127.0.0.1 - - [11/Jan/2017:22:51:22 +0000] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" 200 194 "GET http://127.0.0.1:8080/v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0" "txfbebdc4d5b7f48b285132-005876b6ea" "proxy-server 31555" 0.0152 "-" 28646 0
Jan 11 22:51:22 ubuntu-xenial proxy-server: - - 11/Jan/2017/22/51/22 GET /v1/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.0 200 - python-swiftclient-3.2.1.dev9%20Swauth - - 194 - txfbebdc4d5b7f48b285132-005876b6ea - 0.1124 SWTH - 1484175082.315428972 1484175082.427867889 0
Jan 11 22:51:22 ubuntu-xenial object-6030: STDERR: 127.0.0.1 - - [11/Jan/2017 22:51:22] "GET /sdb3/660/AUTH_.auth/.token_0/AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0 HTTP/1.1" 200 579 0.028552 (txn: txfbebdc4d5b7f48b285132-005876b6ea)
```
3. After retrieving the token from the logfile, I was able to execute this command as below,
```
curl -i http://127.0.0.1:8080/v1/AUTH_d7f474ad-bfd1-47d4-a41c-8c727b3b5254?format=json -X GET -H "Accept-Encoding: gzip" -H "X-Auth-Token: AUTH_tkc9ccde1d34c44c82ac1d260ddbd18df0"
```
The output obtained:
```
HTTP/1.1 200 OK
Content-Length: 2
Accept-Ranges: bytes
X-Timestamp: 1484167500.58887
X-Account-Bytes-Used: 0
X-Account-Container-Count: 0
Content-Type: application/json; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: txbd83d5254a404647bb086-005876ba2a
X-Openstack-Request-Id: txbd83d5254a404647bb086-005876ba2a
Date: Wed, 11 Jan 2017 23:05:14 GMT
```
As, swift has the ability to add any middleware for authentication, swauth is officially part of OpenStack project[1], the token should not be logged. I suspect this issue would be there for any authentication middleware and is a security issue.
[1]. https://github.com/openstack/swauth
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply sent
to Ondřej Nový <onovy@debian.org>:
You have taken responsibility.
(Tue, 21 Nov 2017 11:57:03 GMT) (full text, mbox, link).
Notification sent
to "Ondřej Nový" <novy@ondrej.org>:
Bug acknowledged by developer.
(Tue, 21 Nov 2017 11:57:03 GMT) (full text, mbox, link).
Message #10 received at 882314-close@bugs.debian.org (full text, mbox, reply):
Source: swauth
Source-Version: 1.2.0-4
We believe that the bug you reported is fixed in the latest version of
swauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Nový <onovy@debian.org> (supplier of updated swauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Nov 2017 12:24:54 +0100
Source: swauth
Binary: swauth swauth-doc
Architecture: source
Version: 1.2.0-4
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Ondřej Nový <onovy@debian.org>
Description:
swauth - alternative authentication system for Swift
swauth-doc - alternative authentication system for Swift - documentation
Closes: 882314
Changes:
swauth (1.2.0-4) unstable; urgency=high
.
[ Daniel Baumann ]
* Updating vcs fields.
* Updating copyright format url.
* Updating maintainer field.
* Running wrap-and-sort -bast.
* Removing gbp.conf, not used anymore or should be specified in the
developers dotfiles.
* Updating standards version to 4.1.0.
.
[ Ondřej Nový ]
* Hash token before storing it in Swift
(CVE-2017-16613, Closes: #882314)
Checksums-Sha1:
5ffcb4ebf43a7b81b4f8df65bfa7fe36a08dd762 2265 swauth_1.2.0-4.dsc
4eb71cd1308609ad83c8c0ab9809c37049dc0bcf 11396 swauth_1.2.0-4.debian.tar.xz
cd108fd1bd8add6f46fbb0a443419468d03796ba 10835 swauth_1.2.0-4_amd64.buildinfo
Checksums-Sha256:
b32ee396e72c2aec97c41a78111d1a54a18111b4943889c6703a16187509f99d 2265 swauth_1.2.0-4.dsc
e7f24e88eaa31bcb0efedaa8b1d72c6a51a08bf9b216ccc42dc0b2c3132ba904 11396 swauth_1.2.0-4.debian.tar.xz
5c9ece085ec03265b522d69eb45d7a14e21c9bd0a4367aeb468ca73f8da69b3e 10835 swauth_1.2.0-4_amd64.buildinfo
Files:
19ce798c784df0c51d070128eded93d3 2265 net optional swauth_1.2.0-4.dsc
8afded608042f4c6bd433e065515ce29 11396 net optional swauth_1.2.0-4.debian.tar.xz
9560391d6aef418132fd2ad4e0442240 10835 net optional swauth_1.2.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAloUDhAACgkQNXMSVZ0e
Bks6shAArBmVZJTotQh4T5PEXOh7VjNkkpHgk+Z8+JALSZv8N7FuwyLBZ3Rw8C1S
Ai9YXwysqZsFks9epA8k1j88K2OUPOZD6LOOgtQOeaYKvR5djcAHlxGtlQ92tZ/c
Q8O3lc45oWm5aCka1nB4rpePgz2CUaBYLDdt1Ar8vIO33KFni9oB5LcjSmq6qaNX
IhJydscFI4fe3EuFNwQz5ivKiVb1GezkRpRZNK2/4MIpnuSRE0xr7c8IFvU5O7HH
bcHueqe8mazPisGXGwe29a6Xb2bDhoPSkluwJ8ImNBiXLBf+FmOXm6C9pMSsyUlJ
1fM4n1Vpx7ZjqFD+hSVdR9PneyMdE4J8NZM1t0JNMGNaVjaIu0Kwbd1P5DBJFt6d
HtUiCzkzA5bn94PwwV97+KhGulunI/+xQQguy7mmGojJqskfndT1ijKk3hy6Xy3A
nnyTrXYCS8q4BW1NlRqz2MS79W49tE8fXpvLtdHnewkCtzsGtY1l+PnHWYx6z9xX
CVYyEfyOaC5V91O9dVJyYWWDmkkjzKd4rF7AZLIRmg4wYg9msdJciaqLiOK3G62C
IgDRbKJY769TF99/PNzNZVxr1IWj4zNSOIJUSi61cT4RXA1E8pBGMm0aM5HB2tsB
PhdSIkDtjAGiTVjJ5ZAdiXy6YlnPGZtHI95r30qTvBefPoGcLTg=
=VIcJ
-----END PGP SIGNATURE-----
Marked as found in versions swauth/1.2.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 Nov 2017 12:21:10 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Ondřej Nový <onovy@debian.org>
to control@bugs.debian.org.
(Tue, 21 Nov 2017 22:45:07 GMT) (full text, mbox, link).
Message sent on
to "Ondřej Nový" <novy@ondrej.org>:
Bug#882314.
(Tue, 21 Nov 2017 22:45:10 GMT) (full text, mbox, link).
Message #19 received at 882314-submitter@bugs.debian.org (full text, mbox, reply):
tag 882314 pending
thanks
Hello,
Bug #882314 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/openstack/services/swauth.git/commit/?id=9ec605f
---
commit 9ec605f11b6a5cce2abe23caf915b9a4b0d8e06c
Author: Ondřej Nový <onovy@debian.org>
Date: Tue Nov 21 12:21:49 2017 +0100
Hash token before storing it in Swift (CVE-2017-16613, Closes: #882314)
diff --git a/debian/changelog b/debian/changelog
index c6ee0e0..22080df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
-swauth (1.2.0-4) UNRELEASED; urgency=medium
+swauth (1.2.0-4) UNRELEASED; urgency=high
+ [ Daniel Baumann ]
* Updating vcs fields.
* Updating copyright format url.
* Updating maintainer field.
@@ -8,6 +9,10 @@ swauth (1.2.0-4) UNRELEASED; urgency=medium
developers dotfiles.
* Updating standards version to 4.1.0.
+ [ Ondřej Nový ]
+ * Hash token before storing it in Swift
+ (CVE-2017-16613, Closes: #882314)
+
-- Daniel Baumann <daniel.baumann@progress-linux.org> Fri, 04 Aug 2017 22:26:33 +0200
swauth (1.2.0-3) unstable; urgency=medium
Reply sent
to Ondřej Nový <onovy@debian.org>:
You have taken responsibility.
(Thu, 23 Nov 2017 13:03:09 GMT) (full text, mbox, link).
Notification sent
to "Ondřej Nový" <novy@ondrej.org>:
Bug acknowledged by developer.
(Thu, 23 Nov 2017 13:03:09 GMT) (full text, mbox, link).
Message #24 received at 882314-close@bugs.debian.org (full text, mbox, reply):
Source: swauth
Source-Version: 1.2.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
swauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Nový <onovy@debian.org> (supplier of updated swauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Nov 2017 12:34:33 +0100
Source: swauth
Binary: swauth swauth-doc
Architecture: source all
Version: 1.2.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Ondřej Nový <onovy@debian.org>
Description:
swauth - alternative authentication system for Swift
swauth-doc - alternative authentication system for Swift - documentation
Closes: 882314
Changes:
swauth (1.2.0-2+deb9u1) stretch-security; urgency=high
.
* Hash token before storing it in Swift
(CVE-2017-16613, Closes: #882314)
Checksums-Sha1:
bae549c3e41313326ee7da584a85abbdc0537744 2300 swauth_1.2.0-2+deb9u1.dsc
badeff6834d6395040adf97d8cb35c5b9952c306 140060 swauth_1.2.0.orig.tar.xz
49058e7cb91ce41d32bff5ae88e7a9523aac571e 11320 swauth_1.2.0-2+deb9u1.debian.tar.xz
4707ab0f20c450f3ce4a91dbef0846c380bd7645 69312 swauth-doc_1.2.0-2+deb9u1_all.deb
d586b6b5ca52c2575eae45e4e5d85ff29ebd7f0c 36138 swauth_1.2.0-2+deb9u1_all.deb
82607b8c893407d45d77084559f1ecfcd79b1c80 10686 swauth_1.2.0-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
7ecf5b225ae67dfaf207f914eadf0d78a0be35ace082727f88a6c6c8b9015654 2300 swauth_1.2.0-2+deb9u1.dsc
05a715d48fe916d0a68f307f6dc38d14ffae488c6f5822b3cd584d91d5b418df 140060 swauth_1.2.0.orig.tar.xz
100b15a0a97576163d5270a0a01546505540baae4ad4d8ab855c0a19acbe3827 11320 swauth_1.2.0-2+deb9u1.debian.tar.xz
2403717c976ab5fb5c95ee70b2783784b7a7bce23cf95a76846f0b59731ec476 69312 swauth-doc_1.2.0-2+deb9u1_all.deb
eea8bf502144d270518b6e8ab4e41875fadefd22ddc9203bda4584f50196bc2d 36138 swauth_1.2.0-2+deb9u1_all.deb
287becdf35a487d24a4763399e6fac361826c77ca6330dbab8526718f6cfb20e 10686 swauth_1.2.0-2+deb9u1_amd64.buildinfo
Files:
0fcde5113f0856ef14a064bde4fd8212 2300 net optional swauth_1.2.0-2+deb9u1.dsc
9a5d39883ea8510f879507cedb015bff 140060 net optional swauth_1.2.0.orig.tar.xz
b4fb7cf917b10d26b99cf9994dada211 11320 net optional swauth_1.2.0-2+deb9u1.debian.tar.xz
63fa0e6fc2d9b84d9e9945587331e790 69312 doc optional swauth-doc_1.2.0-2+deb9u1_all.deb
323c38eb185089b537edbc15be79acee 36138 net optional swauth_1.2.0-2+deb9u1_all.deb
17a98043c38ce213177a30ced01e2f3b 10686 net optional swauth_1.2.0-2+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAloULxoACgkQNXMSVZ0e
BkvtgxAAqY//xGWjEI2jnSUzW/TRRoHcgcobYuETPyDlff833ENWgNxqKjdplQP+
fe78icCwR+ztvmjsCMzUViYlHa6UztFRaH13Xeimwg02g3XPEhPdLtEDcyEyjWbd
JtbPHO6Tvf6956pGkXp4htiEh5uzvEHSBlfTyCcKk2ojljIcYsDfnBWLIYf0OMUM
9yesp/A7Brg7ltaVPr5QuK72ssvm19WBqYf1W4ajQWYyK8NqRW5Sd16PPAi8YrK2
JCidY+1jcCEP+OC6uR3s4J40lywHG5R8LFIko62Z7B5x4FnpypXsLQSubPthbj0U
O9L0YW0DIjsS8L4PEQoZzW9c0T8Kh4lpJ3aANeSvarFu76tdB+DmOflW3o+M6L4Q
VvPi6M4c2vq2QItGLuA5Yg/hvXQ2Ay6R8Ek5syyfN23Qb44j4vjFcAREn+rg9zIe
xoguMLuLh4fdUZVq+27zybtrTjlGDET/sOBH5MeA6pW5/06HoLaZUuS1Jb1D1Emz
DbLfvkaAC5DC1+TjNx9sLkkkJuuA1+Tfe6OEpz4YuQ5E7K0y2EQGNkRlXU5s1rdO
ngp8G11/+Iu6QYRVANab9TZfmtIjYzd9xK+xRbjJgTQST9tlBt4mo7FApMXsDVM8
S4wS+sHuGBX+1AzHp8aI44Xvq9HlQypHDcfEDmQfO0/2SyhGDJ0=
=1iTi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 Jan 2018 07:27:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:50:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon