Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631200

Summary: <sys-auth/keystone-12.0.0: sha512_crypt for password hashing is insufficient
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: openstack, prometheanfire
Priority: Low    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2017/q3/468
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-09-17 13:21:43 UTC 
From $URL:

sha512_crypt is insufficient for password hashing
-------------------------------------------------

### Summary ###

Use of sha512_crypt for password hashing in versions of Keystone prior
to Pike, is insufficient and provides limited protection against
brute-forcing of password hashes.

### Affected Services / Software ###
OpenStack Identity Service (Keystone). OpenStack Releases Ocata, Newton.

### Discussion ###

Keystone uses sha512_crypt for password hashing. This provides
insufficient and limited protection, since sha512_crypt algorithm has a
low computational cost factor, therefore making it easier to crack
passwords offline in a short period of time.

The correct mechanism is to use the more secure hashing algorithms with
a higher computational cost factor such as bcrypt, scrypt, or
pbkdf2_sha512 instead of sha512_crypt.

### Recommended Actions ###

It is recommended that operators upgrade to the Pike release where all
future passwords would be bcrypt hashed.

Operators should also force password changes on all users [1], which
will result in the users newly generated passwords being bcrypt hashed.

### Contacts / References ###
Author: Luke Hinds <lhinds () redhat com>
[1]:
https://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#force-users-to-change-password-upon-first-use
[2] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0081
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1668503
Mailing List : [Security] tag on openstack-dev () lists openstack org
OpenStack Security Project : https://launchpad.net/~openstack-ossg


@Maintainer(s): Please state when the package is ready for stabilization.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-09-17 18:04:13 UTC 
It's scheduled to go stable on the 30th.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:48:53 UTC 
please drop vulnerable versions
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-20 03:05:12 UTC 
That would mean dropping much more than just the older versions of keystone.

It'd mean dropping the older versions of cinder, glance, heat, neutron, nova, swift, possibly more.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 03:20:45 UTC 
(In reply to Matthew Thode ( prometheanfire ) from comment #3)
> That would mean dropping much more than just the older versions of keystone.
> 
> It'd mean dropping the older versions of cinder, glance, heat, neutron,
> nova, swift, possibly more.

Well a mask would cause the same pain I suppose. Oh, well.  Leave the vulnerable I guess.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-18 16:06:05 UTC 
cleanup done.

GLSA Vote: No.

Thank you all