OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature¶

Date:: June 19, 2013
CVE:: CVE-2013-2166, CVE-2013-2167

Affects¶

Python-keystoneclient: Versions 0.2.3 up to 0.2.5

Description¶

Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected.

Patches¶

https://review.openstack.org/#/c/33661 (Python-keystoneclient-0.2.6)

Credits¶

Paul McMillan from Nebula (CVE-2013-2166, CVE-2013-2167)

References¶

https://launchpad.net/bugs/1175367
https://launchpad.net/bugs/1175368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167

OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature