Apache Qpid Authentication Bypass

Product Apache Qpid
Severity Medium
CVE Reference CVE-2015-0223
Type Apache Qpid Authentication Bypass

The Apace Qpid messaging broker implementation suffers from a poorly implemented AMQP connection handling logic. This allows an adversary to gain anonymous access to the messaging service, regardless of the configured authentication mechanisms.

The advisory can be downloaded here.

Description

Apache Qpid is an open source message-oriented middleware messaging broker. Qpid provides Java and C++ implementations of the Advanced Message Queuing Protocol (AMQP).

The C++ broker implementation suffers from a poorly implemented AMQP connection handling logic. This allows an adversary to circumvent the authentication mechanisms enabled on the messaging broker.

Impact

An attacker can gain anonymous access to the messaging service, consume and operate on resources that should only be available to a limited number of successfully authenticated legitimate users.

Cause

Apache Qpid, when configured to perform user authentication, was found to decode and process AMQP messages when an empty username and password combination is supplied by the client.

Interim Workaround

Apache has developed a patch that can be manually applied to Qpid 0.30. This patch is available under the following link: https://issues.apache.org/jira/browse/QPID-6325

Solution

Upgrade to Apache Qpid version 0.31 or later.

Technical Details

Apache Qpid can be configured to perform client authentication using the Simple Authentication and Security Layer (SASL) framework. This can be achieved by setting the auth directive to ‘yes’ in the qpidd.conf configuration file, followed by adding user accounts to the SASL authentication database.

SASL provides various authentication and data security mechanisms such as CRAM-MD5, DIGEST-MD5, PLAIN and ANONYMOUS. The ANONYMOUS mechanism does not, in fact, provide any form of authentication, but instead allows for clients to gain access to services or resources without the need to provide a valid combination of credentials.

It is, however, possible for an attacker to provide an empty username and password. In this case, Qpid will grant anonymous access to the messaging service, regardless of the configured authentication mechanisms.

The following vendor patch excerpt depicts a case where a missing check for an empty user was added in order to mitigate the vulnerability when processing connection tuning parameters.

@@ -234,21 +234,25 @@ void ConnectionHandler::Handler::tuneOk(uint16_t /*channelmax*/,
 void ConnectionHandler::Handler::open(const string& /*virtualHost*/,
                                       const framing::Array& /*capabilities*/, bool /*insist*/)
 {
+    if (connection.getUserId().empty()) {
+        throw ConnectionForcedException("Not authenticated!");
+    }
+
     if (connection.isFederationLink()) {
         AclModule* acl =  connection.getBroker().getAcl();
         if (acl && acl->userAclRules()) {
             if (!acl->authorise(connection.getUserId(),acl::ACT_CREATE,acl::OBJ_LINK,"")){
-                proxy.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,
-                            QPID_MSG("ACL denied " << connection.getUserId()
-                                        << " creating a federation link"));

This vulnerability was confirmed and successfully demonstrated against an instance of Apache Qpid configured with the PLAIN Simple Authentication and Security Layer (SASL) mechanism enabled.

Detailed Timeline

Date Summary
2015-01-18 Reported to Apache and Red Hat
2015-01-19 Red Hat confirms reception and requests proof of concept
2015-01-19 MWR sends proof of concept
2015-01-19 Red Hat confirms the vulnerability
2015-01-20 Red Hat suggests fix
2015-01-26 Public fix released
2015-02-06 Advisory published