barbican security review findings¶
barbican security review findings - 3.0.0.0b2/newton¶
Status: Draft
Release: Newton
Version: 3.0.0.0b2
Review Date: 08/18/2016
Review Body: OpenStack Security Project
Contacts:
PTL: Douglas Mendizábal - redrobot
Architect: Douglas Mendizábal - redrobot
Security Reviewer: Robert Clark - hyakuhei
Security Reviewer: Doug Chivers - capnoday
Findings:¶
1. Modification of ACLs in barbian database could compromise all secrets¶
Risk: barbican has a feature that allows a tenant to grant another tenant access to a secret. This is controlled via a tenant mapping table within the barbican database. The implied security model of the barbican database (when running with PCKS#11) is that all cryptographic operations are performed in the HSM, a confidentiality or integrity breach of the database will not directly result in secrets being compromised. However if an attacker was able to modify the ACL mapping, they could grant a tenant access to any/all secrets stored in the HSM. Once the mapping is manipulated the attacker could retrieve secrets using the normal barbican API.
Impact: All secrets stored in barbican are exposed.
Likelihood: Medium
Impact: High
Overall Risk Rating: High
Bug: <link to launchpad bug for this finding>
Recommendation: Provide deployment guidance requiring strong controls securing access to the barbican database.
2. Misconfigured HSM credential could cause DoS via HSM auto-purge¶
Risk: A misconfigured or tampered barbican hardware security module (HSM) credential could cause a denial-of-service of barbican (and potentially other services using the HSM if it is shared), if the HSM is configured to purge after a number of failed connection attempts.
Impact: Denial of service to barbican, potential loss of all secrets if there is inadequate backup, denial of service and potential loss of secrets for other services sharing the HSM.
Likelihood: Low
Impact: High
Overall Risk Rating: Medium
Bug: <link to launchpad bug for this finding>
Recommendation: Deployment guidance recommending that HSMs should not be configured to auto-purge, unless this risk is actively managed via a security event monitoring system. In this later case, consider adding a delay period or auto backoff to barbican connection attempts to allow a SOC time to respond.
3. Compromised HSM credential could cause DoS and all secrets (PKCS#11 only)¶
Risk: When using PKCS#11 to connect barbican to a HSM, a compromised HSM credential would allow an attacker to delete MKEK and HMAC keys, causing a denial of service. If these keys were not backed up, all secrets would be lost.
Impact: Denial of service, loss of all secrets.
Likelihood: Low
Impact: High
Overall Risk Rating: Medium
Bug: <link to launchpad bug for this finding>
Recommendation: Deployment guidance recommending that HSM credentials are protected.
4. Compromised HSM credential lets attacker access all secrets (KMIP only)¶
Risk: Although this review focusses on PKCS#11 barbican deployments, the following KMIP finding was discovered during review and is included here for completeness. When using KMIP to connect barbican to a HSM, a compromised HSM credential allows an attacker to access all secrets stored in the HSM.
Impact: Compromise of all secrets.
Likelihood: Low
Impact: High
Overall Risk Rating: Medium
Bug: <link to launchpad bug for this finding>
Recommendation: Deployment guidance recommending that HSM credentials are protected.
5. Metadata should be sanitized before rendering to avoid XSS¶
Risk: Lack of sanitization of metadata could lead to cross site scripting (XSS) vulnerabilities.
Impact:
Likelihood: Low
Impact: Medium
Overall Risk Rating: Medium
Recommendation: Ensure future UI designers are aware of this risk and sanitize all metadata before rendering.
6. Weak keystone credentials could result in loss of barbican users/secrets.¶
Risk: An integrity failure of the keystone event queue credentials could allow an attacker to point barbican at a keystone event queue controlled by the attacker, the attacker could then publish events triggering deletion of all users/projects/secrets in barbican.
Impact: Soft deletion of all users/projects/secrets in the compromised barbican deployment. Limited impact as there is time to restore deleted data before the cleanup process runs.
Likelihood: Low
Impact: Medium
Overall Risk Rating: Low
Bug: <link to launchpad bug for this finding>
Recommendation: Strong integrity controls for keystone credentials, monitoring to detect mass deletion.
7. Compromised keystone credentials could lead to barbican admin compromise¶
Risk: If the keystone credentials for the barbican service account (for token validation) have barbican admin privileges then a confidentiality failure could allow an attacker to manipulate the barbican administration functions.
Impact: Compromise of secrets, DOS.
Likelihood: Medium
Impact: High
Overall Risk Rating: Medium
Bug: <link to launchpad bug for this finding>
Recommendation: Do not grant barbican service account admin privileges
8. Compromise of PKCS#11 MKEK/HMAC backup could cause compromise of all secrets¶
Risk: Loss of confidentiality of the PKCS#11 MKEK/HMAC backup could allow an attacker to decrypt all secrets in the barbican database.
Impact: Compromise of all secrets
Likelihood: Low
Impact: High
Overall Risk Rating: Medium
Recommendation: Provide handling and encryption recommendations for MKEK/HMAC backups.
Recommendations:¶
1. Provide best practice recommendations for HSM usage and operations¶
Recommendation: HSM security is outside the scope of this review (because it is an external entity), but it is critical to the security of a barbican deployment, so best practice recommendations should be provided for HSM usage and security.
2. Document metadata useage¶
Recommendation: barbican metadata is not encrpyted, but users could store confidential data there. barbican documentation should highlight this to users.
