Eucalyptus
  1. Eucalyptus
  2. EUCA-1717

Walrus: anyone can access objects on Walrus by submitting correctly signed requests

    Details

    • Benefit:
      Medium
    • Security:
      Yes
    • Rank:
      5338

      Description

      Walrus accepts internal requests from NC based on a custom REST protocol. To
      authenticate such requests, it verifies that the signature (over some headers
      in the request) of the request is correct, but the certificate that is used to
      verify the signature is taken from the request itself. The assumption is that
      it's an NC's certificate. However, since Walrus does not validate that the
      submitted key is a valid key of an NC, anyone can submit a request to Walrus
      using an arbitrary pair of key/cert. As a result, Walrus will return any
      requested object. It looks like at least the following operations are
      supported in place of EucaOperation: "GetDecryptedImage", "GetObject",
      "HttpPut" and any object (not just images) can be read this way. All an
      attacker needs to do is to guess an object location on Walrus.

        Activity

        Hide
        gholmstrom added a comment -

        Originally posted on 2012-03-20 23:59:11
        Does this also affect eucalyptus 2?

        Show
        gholmstrom added a comment - Originally posted on 2012-03-20 23:59:11 Does this also affect eucalyptus 2?
        Hide
        Andy Grimm added a comment -

        Originally posted on 2012-04-25 00:02:38 by zach.hill@eucalyptus.com

        <URL: https://support.eucalyptus.com/Ticket/Display.html?id=6717 >

        Neil fixed this in eee 3.0.2 and eee-main. 3.0.2 revno is 2590 and eee-main
        revno is 2596 in bzr repos.

        On Tue Mar 20 16:53:06 2012, vika.felmetsger wrote:
        > Walrus accepts internal requests from NC based on a custom REST
        > protocol. To
        > authenticate such requests, it verifies that the signature (over some
        > headers
        > in the request) of the request is correct, but the certificate that is
        > used to
        > verify the signature is taken from the request itself. The assumption
        > is that
        > it's an NC's certificate. However, since Walrus does not validate that
        > the
        > submitted key is a valid key of an NC, anyone can submit a request to
        > Walrus
        > using an arbitrary pair of key/cert. As a result, Walrus will return
        > any
        > requested object. It looks like at least the following operations are
        > supported
        > in place of EucaOperation: "GetDecryptedImage", "GetObject", "HttpPut"
        > and any
        > object (not just images) can be read this way. All an attacker needs
        > to do is
        > to guess an object location on Walrus.

        Show
        Andy Grimm added a comment - Originally posted on 2012-04-25 00:02:38 by zach.hill@eucalyptus.com <URL: https://support.eucalyptus.com/Ticket/Display.html?id=6717 > Neil fixed this in eee 3.0.2 and eee-main. 3.0.2 revno is 2590 and eee-main revno is 2596 in bzr repos. On Tue Mar 20 16:53:06 2012, vika.felmetsger wrote: > Walrus accepts internal requests from NC based on a custom REST > protocol. To > authenticate such requests, it verifies that the signature (over some > headers > in the request) of the request is correct, but the certificate that is > used to > verify the signature is taken from the request itself. The assumption > is that > it's an NC's certificate. However, since Walrus does not validate that > the > submitted key is a valid key of an NC, anyone can submit a request to > Walrus > using an arbitrary pair of key/cert. As a result, Walrus will return > any > requested object. It looks like at least the following operations are > supported > in place of EucaOperation: "GetDecryptedImage", "GetObject", "HttpPut" > and any > object (not just images) can be read this way. All an attacker needs > to do is > to guess an object location on Walrus.
        Hide
        Tom Ellis added a comment -

        I'm getting pinged by Ubuntu folks on this who are trying to patch 10.04 (lucid)'s Eucalyptus 2 packages. Do we have a public commit in github I can point them to?

        Show
        Tom Ellis added a comment - I'm getting pinged by Ubuntu folks on this who are trying to patch 10.04 (lucid)'s Eucalyptus 2 packages. Do we have a public commit in github I can point them to?
        Hide
        Vika Felmetsger added a comment -

        Tom, see commits eb36703c and 854ac92f in eucalyptus repo on github.

        Show
        Vika Felmetsger added a comment - Tom, see commits eb36703c and 854ac92f in eucalyptus repo on github.
        Hide
        Tom Ellis added a comment -

        Thanks!

        Show
        Tom Ellis added a comment - Thanks!
        Hide
        Andy Grimm added a comment -

        I've made this issue public, since the CVE is public now.

        Show
        Andy Grimm added a comment - I've made this issue public, since the CVE is public now.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development