Bug #1142

security problem in EC2

Added by Rolandas Naujikas over 9 years ago. Updated over 9 years ago.

Status:ClosedStart date:02/25/2012
Priority:HighDue date:
Assignee:Daniel Molina% Done:

100%

Category:-
Target version:Release 3.4 - Beta
Resolution:fixed Pull request:
Affected Versions:OpenNebula 3.4

Description

I just was able to authenticate through EC2 (using ec2 auth method in econe.conf) with the user from LDAP (with driver ldap) with its LDAP DN as a password. I'm almost sure it will work also with the user with x509 driver and its certificate subject as a password.

Rolandas Naujikas

P.S. Related code in EC2CloudAuth.rb is "one_pass = get_password(username)".
P.S. Workaround is to don't mix users in one setup with different drivers (only core driver users should be used if auth=ec2 is used). Another solution is to use auth=x509 if there are users with different drivers (ldap/x509/ssh).
P.S. OCCICloudAuth.rb looks similar to EC2, but I didn't succeed to authenticate.
P.S. SunstoneCloudAuth.rb looks OK (because of SHA1 digest used).

Associated revisions

Revision cbc622f8
Added by Daniel Molina over 9 years ago

bug #1142: Check user driver in CloudAuth

Revision 1efef611
Added by Daniel Molina over 9 years ago

bug #1142: Check public driver

History

#1 Updated by Rolandas Naujikas over 9 years ago

I was able to authenticate with x509 user certificate subject also through EC2.

#2 Updated by Rolandas Naujikas over 9 years ago

OCCICloudAuth.rb is also vulnerable because SHA1 hash is made in client side, so modified client could authenticate also with user public information.

#3 Updated by Ruben S. Montero over 9 years ago

  • Target version set to Release 3.4 - Beta

#4 Updated by Daniel Molina over 9 years ago

  • Category set to 11
  • Assignee set to Daniel Molina

Thanks for the feedback, we will fix these issues in the next release.

#5 Updated by Daniel Molina over 9 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Resolution set to fixed
  • Affected Versions OpenNebula 3.4 added

#6 Updated by Daniel Molina over 9 years ago

If the EC2/OCCI authentication system is specified in the server configuration the user can only use core/public driver in OpenNebula.

A new OpenNebulaCloudAuth has been included to use the driver specified in the core.

Also available in: Atom PDF