[AAA-151] Previous password continues to work after password change Created: 21/Nov/17  Updated: 28/Nov/17  Resolved: 28/Nov/17

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: Carbon-SR3, Nitrogen-SR1

Type: Bug Priority: High
Reporter: Vaibhav Hemant Dixit Assignee: Ryan Goulding
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners

 Description   

#security-status: confirmed-leaked

This issue has been confirmed as a security vulnerability in
OpenDayLight AAA. Unfortunately the details of this flaw have been
made public. Therefore it cannot be fixed under the OpenDaylight
embargoed security vulnerability process. As this issue is now public
it is important that the flaw is addressed in a timely manner. The
OpenDaylight security team will ensure that a CVE is assigned for this issue.

Vaibhav Hemant Dixit reported the following security vulnerability to the security mailing list:

Severity : OPENDAYLIGHT AUTHENTICATION BREACHED

Issue: After updating the password, the login is successful with both OLD and NEW passwords
Controller: Distribution Version: distribution-karaf-0.6.1-Carbon.tar.gz

Steps to reproduce:

Start the controller.
Install feature on Karaf: "feature:install odl-aaa-cli "
Changed the admin password :
_aaa:change-user-pwd -user admin
Enter current password:
Enter new password:
admin's password has been changed_

Observation:

The admin user can authenticate using both OLD and NEW passwords.
Execute a REST call with OLD and new password, the authentication is successful.
If the controller is shutdown and restarted, the issue is not seen anymore.

 Comments   
Comment by Ryan Goulding [ 21/Nov/17 ]

Proposed fix:

https://git.opendaylight.org/gerrit/#/q/topic:AAA-151

Affects CLI only; the REST endpoints do Claim cache invalidation already. Reboot works because the ClaimCache is force-flushed upon exit of the Java process. Although the CLI requires system access for (bin/client) or SSH access to the Karaf process, the effects are still bad because an admin expects that the old password should not work after he/she has changed it. He or she invokes the change-user-password Karaf CLI command expecting that the old credentials will no longer be accepted.

Not sure how we want to handle this, but I'd imagine it involves CVE and proper documentation. The fixes will be merged to the affected branches (carbon, nitrogen & master) as they pass jenkins-releng.

Comment by Luke Hinds [ 22/Nov/17 ]

Recommended Disclosure Dates

Thursday 23/11 - Downstream Stakeholders

Wednesday 29/11 - Go Public, open this JIRA and notify public mailing addresses.

Comment by Luke Hinds [ 22/Nov/17 ]

rgoulding et al, please verify the impact description:

Title: Previous passwords remain active after a password change, when using the Karaf CLI.

Reporters:
Vaibhav Hemant Dixit, Arizona State University

Affects: OpenDayLight AAA
Versions: Carbon, Nitrogen

Risk-assessment:
impact-rating: Important

Description:

Vaibhav Hemant Dixit from Arizona State University reported a vulnerability
in OpenDayLight AAA, whereby should a user update a password, the login is still successful with both OLD and NEW passwords. This is a result of how claimCache is flushed in AAA IDM when using the Karaf CLI. The issue is not present when using the AAA IDM REST API, as the handlers already invoke the clearing of the IdmLightProxy claimCache upon user update. A flush can be made by performing a reboot of Karaf or by applying the patches referenced in this advisory, as the patches enable the Karaf CLI to call IdmLightProxy claimCache and perform a flush every time a user changes a password.

Versions Affected: Nitrogen & Carbon

Comment by Ryan Goulding [ 28/Nov/17 ]

My apologies, I was out for the Holiday weekend.  This seems accurate to me.  Thanks for your help with this issue.

Generated at Wed Feb 07 19:08:46 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.