You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Musayev, Ilya" <im...@webmd.net> on 2012/10/22 22:03:52 UTC
API Key and Signature security flaw on CS4 - jenkins build non-oss
137
I guess I found a not so cool feature/bug which is at this moment is a major security flaw for locally authenticated ssh use or from another host on the network .
The API signature and key are not checked at all - I'm able to run the commands against API port with any key - and command is executed without checking the validity of Key/Signature.
Is this a known bug that may have been addressed or do I need to file one?
How do we restrict access to 8096 from another host? Is it done via iptables or some access rule in tomcat?
If its iptables we need a deny rule for 8096 from external hosts by default probably with setup script.
Thanks
ilya
Re: API Key and Signature security flaw on CS4 - jenkins build
non-oss 137
Posted by "Musayev, Ilya" <im...@webmd.net>.
I guess I missed the change of direction. Im aware that 8096 is for local api access and it needs to be explicitly enabled.
On version 3.x, if i would have a single mistake in the API key, i would get 'invalid credentials'. In version 4.x any value in API key/sig is legit and I execute without problems. I was under impression API and Signature keys *verification* is performed prior to executing a command as authenticated SSH user. Otherwise, there is no need for generating the API/Signature key pair in the UI - any key will work.
It is also not good for large environments when multiple people/teams could have access to CS server - even as basic non root ssh user.
If i understand this correctly, It is admin task to lockdown 8096 to external hosts and make sure no-one besides him can login - otherwise if 8096 is enabled - and someone does login via ssh as non root user - that someone can do anything he pleases.
Alternatively we can use 8080 with username and password. We just liked the simplicity and flexibility of API port interface of 3.x
On Oct 22, 2012, at 4:28 PM, "Ahmad Emneina" <Ah...@citrix.com> wrote:
> When you access cloudstack through the regular api endpoint
> <host>:8080/client you will need to authenticate to execute commands. 8096
> is the unauthenticated admin port, which should be locked down on
> production installs.
>
> On 10/22/12 1:25 PM, "Musayev, Ilya" <im...@webmd.net> wrote:
>
>> I c. . so the API Key and Signature generation is obsolete as well?
>>
>> -----Original Message-----
>> From: Edison Su [mailto:Edison.su@citrix.com]
>> Sent: Monday, October 22, 2012 4:16 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: RE: API Key and Signature security flaw on CS4 - jenkins build
>> non-oss 137
>>
>> By default, port 8096 is disabled, and is intended to be without API
>> signature/key check.
>> If the 8096 is turned on by yourself, then somehow, it's up to you how to
>> secure it.
>>
>>> -----Original Message-----
>>> From: Musayev, Ilya [mailto:imusayev@webmd.net]
>>> Sent: Monday, October 22, 2012 1:04 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: API Key and Signature security flaw on CS4 - jenkins build
>>> non-oss 137
>>>
>>> I guess I found a not so cool feature/bug which is at this moment is a
>>> major security flaw for locally authenticated ssh use or from another
>>> host on the network .
>>>
>>> The API signature and key are not checked at all - I'm able to run the
>>> commands against API port with any key - and command is executed
>>> without checking the validity of Key/Signature.
>>>
>>> Is this a known bug that may have been addressed or do I need to file
>>> one?
>>>
>>> How do we restrict access to 8096 from another host? Is it done via
>>> iptables or some access rule in tomcat?
>>>
>>> If its iptables we need a deny rule for 8096 from external hosts by
>>> default probably with setup script.
>>>
>>> Thanks
>>> ilya
>>
>>
>>
>
>
> --
> Æ
>
>
>
>
Re: API Key and Signature security flaw on CS4 - jenkins build
non-oss 137
Posted by Ahmad Emneina <Ah...@citrix.com>.
On 10/22/12 1:27 PM, "Ahmad Emneina" <Ah...@citrix.com> wrote:
>When you access cloudstack through the regular api endpoint
><host>:8080/client you will need to authenticate to execute commands. 8096
>is the unauthenticated admin port, which should be locked down on
>production installs.
>
>On 10/22/12 1:25 PM, "Musayev, Ilya" <im...@webmd.net> wrote:
>
>>I c. . so the API Key and Signature generation is obsolete as well?
>>
>>-----Original Message-----
>>From: Edison Su [mailto:Edison.su@citrix.com]
>>Sent: Monday, October 22, 2012 4:16 PM
>>To: cloudstack-dev@incubator.apache.org
>>Subject: RE: API Key and Signature security flaw on CS4 - jenkins build
>>non-oss 137
>>
>>By default, port 8096 is disabled, and is intended to be without API
>>signature/key check.
>>If the 8096 is turned on by yourself, then somehow, it's up to you how to
>>secure it.
>>
>>> -----Original Message-----
>>> From: Musayev, Ilya [mailto:imusayev@webmd.net]
>>> Sent: Monday, October 22, 2012 1:04 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: API Key and Signature security flaw on CS4 - jenkins build
>>> non-oss 137
>>>
>>> I guess I found a not so cool feature/bug which is at this moment is a
>>> major security flaw for locally authenticated ssh use or from another
>>> host on the network .
>>>
>>> The API signature and key are not checked at all - I'm able to run the
>>> commands against API port with any key - and command is executed
>>> without checking the validity of Key/Signature.
>>>
>>> Is this a known bug that may have been addressed or do I need to file
>>> one?
>>>
>>> How do we restrict access to 8096 from another host? Is it done via
>>> iptables or some access rule in tomcat?
>>>
>>> If its iptables we need a deny rule for 8096 from external hosts by
>>> default probably with setup script.
>>>
>>> Thanks
>>> ilya
>>
>>
>>
>
>
>--
>Æ
>
>
>
>
To disable the admin api port, set the following param to 0, in your
global settings:
integration.api.port
--
Æ
Re: API Key and Signature security flaw on CS4 - jenkins build
non-oss 137
Posted by Ahmad Emneina <Ah...@citrix.com>.
When you access cloudstack through the regular api endpoint
<host>:8080/client you will need to authenticate to execute commands. 8096
is the unauthenticated admin port, which should be locked down on
production installs.
On 10/22/12 1:25 PM, "Musayev, Ilya" <im...@webmd.net> wrote:
>I c. . so the API Key and Signature generation is obsolete as well?
>
>-----Original Message-----
>From: Edison Su [mailto:Edison.su@citrix.com]
>Sent: Monday, October 22, 2012 4:16 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: API Key and Signature security flaw on CS4 - jenkins build
>non-oss 137
>
>By default, port 8096 is disabled, and is intended to be without API
>signature/key check.
>If the 8096 is turned on by yourself, then somehow, it's up to you how to
>secure it.
>
>> -----Original Message-----
>> From: Musayev, Ilya [mailto:imusayev@webmd.net]
>> Sent: Monday, October 22, 2012 1:04 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: API Key and Signature security flaw on CS4 - jenkins build
>> non-oss 137
>>
>> I guess I found a not so cool feature/bug which is at this moment is a
>> major security flaw for locally authenticated ssh use or from another
>> host on the network .
>>
>> The API signature and key are not checked at all - I'm able to run the
>> commands against API port with any key - and command is executed
>> without checking the validity of Key/Signature.
>>
>> Is this a known bug that may have been addressed or do I need to file
>> one?
>>
>> How do we restrict access to 8096 from another host? Is it done via
>> iptables or some access rule in tomcat?
>>
>> If its iptables we need a deny rule for 8096 from external hosts by
>> default probably with setup script.
>>
>> Thanks
>> ilya
>
>
>
--
Æ
RE: API Key and Signature security flaw on CS4 - jenkins build
non-oss 137
Posted by "Musayev, Ilya" <im...@webmd.net>.
I c. . so the API Key and Signature generation is obsolete as well?
-----Original Message-----
From: Edison Su [mailto:Edison.su@citrix.com]
Sent: Monday, October 22, 2012 4:16 PM
To: cloudstack-dev@incubator.apache.org
Subject: RE: API Key and Signature security flaw on CS4 - jenkins build non-oss 137
By default, port 8096 is disabled, and is intended to be without API signature/key check.
If the 8096 is turned on by yourself, then somehow, it's up to you how to secure it.
> -----Original Message-----
> From: Musayev, Ilya [mailto:imusayev@webmd.net]
> Sent: Monday, October 22, 2012 1:04 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: API Key and Signature security flaw on CS4 - jenkins build
> non-oss 137
>
> I guess I found a not so cool feature/bug which is at this moment is a
> major security flaw for locally authenticated ssh use or from another
> host on the network .
>
> The API signature and key are not checked at all - I'm able to run the
> commands against API port with any key - and command is executed
> without checking the validity of Key/Signature.
>
> Is this a known bug that may have been addressed or do I need to file
> one?
>
> How do we restrict access to 8096 from another host? Is it done via
> iptables or some access rule in tomcat?
>
> If its iptables we need a deny rule for 8096 from external hosts by
> default probably with setup script.
>
> Thanks
> ilya
RE: API Key and Signature security flaw on CS4 - jenkins build
non-oss 137
Posted by Edison Su <Ed...@citrix.com>.
By default, port 8096 is disabled, and is intended to be without API signature/key check.
If the 8096 is turned on by yourself, then somehow, it's up to you how to secure it.
> -----Original Message-----
> From: Musayev, Ilya [mailto:imusayev@webmd.net]
> Sent: Monday, October 22, 2012 1:04 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: API Key and Signature security flaw on CS4 - jenkins build
> non-oss 137
>
> I guess I found a not so cool feature/bug which is at this moment is a
> major security flaw for locally authenticated ssh use or from another
> host on the network .
>
> The API signature and key are not checked at all - I'm able to run the
> commands against API port with any key - and command is executed
> without checking the validity of Key/Signature.
>
> Is this a known bug that may have been addressed or do I need to file
> one?
>
> How do we restrict access to 8096 from another host? Is it done via
> iptables or some access rule in tomcat?
>
> If its iptables we need a deny rule for 8096 from external hosts by
> default probably with setup script.
>
> Thanks
> ilya