Date: Thu, 10 Apr 2014 14:06:49 -0400 (EDT) From: cve-assign@...re.org To: tristan.cacqueray@...vance.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for vulnerability in OpenStack Keystone -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://launchpad.net/bugs/1300274 > > Keystone DoS through V3 API authentication chaining > > a vulnerability in Keystone V3 API authentication. By sending a single > request with the same authentication method multiple times, a remote > attacker may generate unwanted load on the Keystone host, potentially > resulting in a Denial of Service against a Keystone service. Only > Keystone setups enabling V3 API are affected. > > Sanitizes authentication methods received in requests. > > When a user authenticates against Identity V3 API, he can specify > multiple authentication methods. This patch removes duplicates, which > could have been used to achieve DoS attacks. > > the difference that I see between many authentication requests versus > one request with many authentication methods, is that in the first > case an operator may limit the rate at which requests are processed, > but it's more difficult to protect Keystone against few requests > triggering many authentication trials. Use CVE-2014-2828. For reference: this was apparently disputed internally by the vendor before a conclusion was reached that this is a vulnerability in the context of the vendor's security policy. Obviously an attacker who sends more authentication requests generates more system load. Apparently the decision is that it was a mistake for auth/controllers.py, when handling one request, to process superfluous data that had no real purpose other than increasing resource consumption. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTRt1TAAoJEKllVAevmvms3aEIAL3ri80WKGeYIT+99PIHROOw GbBvXRIsLL5xLwTIgCdUe6ozNR4z9WOSVSMLIPT4rHZEaXEqe7jV9yqAeVW5c7IX RQ6YFtTC/wGPxMHjoQyjx1TQp1Ymubcie1golNJC6rSAFnEM211HM8VEQxh/NiCe FH0vfawOxioFIp0KxiTTKHNUbY39AI+6ENylEQwfOzfjEP7Vvbp+k8MrwctIZxEB x5aJH/5kENJQSd5JzQbIzA4qt6THTEg8SiXTRJTd5RdHyKh/oBelZhkuf/Q16ERe /CwfUpwKB1Z0rKN+tefdBu0fW/Rr428MJ7dIONskJhdPQNHJyvCsLt411l66Nf0= =Ck8/ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.