Bug #1142
security problem in EC2
Status: | Closed | Start date: | 02/25/2012 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Daniel Molina | % Done: | 100% | |
Category: | - | |||
Target version: | Release 3.4 - Beta | |||
Resolution: | fixed | Pull request: | ||
Affected Versions: | OpenNebula 3.4 |
Description
I just was able to authenticate through EC2 (using ec2 auth method in econe.conf) with the user from LDAP (with driver ldap) with its LDAP DN as a password. I'm almost sure it will work also with the user with x509 driver and its certificate subject as a password.
Rolandas Naujikas
P.S. Related code in EC2CloudAuth.rb is "one_pass = get_password(username)".
P.S. Workaround is to don't mix users in one setup with different drivers (only core driver users should be used if auth=ec2 is used). Another solution is to use auth=x509 if there are users with different drivers (ldap/x509/ssh).
P.S. OCCICloudAuth.rb looks similar to EC2, but I didn't succeed to authenticate.
P.S. SunstoneCloudAuth.rb looks OK (because of SHA1 digest used).
History
#1 Updated by Rolandas Naujikas over 9 years ago
I was able to authenticate with x509 user certificate subject also through EC2.
#2 Updated by Rolandas Naujikas over 9 years ago
OCCICloudAuth.rb is also vulnerable because SHA1 hash is made in client side, so modified client could authenticate also with user public information.
#3 Updated by Ruben S. Montero over 9 years ago
- Target version set to Release 3.4 - Beta
#4 Updated by Daniel Molina over 9 years ago
- Category set to 11
- Assignee set to Daniel Molina
Thanks for the feedback, we will fix these issues in the next release.
#5 Updated by Daniel Molina over 9 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
- Resolution set to fixed
- Affected Versions OpenNebula 3.4 added
#6 Updated by Daniel Molina over 9 years ago
If the EC2/OCCI authentication system is specified in the server configuration the user can only use core/public driver in OpenNebula.
A new OpenNebulaCloudAuth has been included to use the driver specified in the core.