[OSSA 2013-028] Removing role adds role with LDAP backend
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Identity (keystone) |
Critical
|
Brant Knudson | ||
| | Grizzly |
Critical
|
Brant Knudson | ||
| | Havana |
Critical
|
Brant Knudson | ||
| | OpenStack Security Advisory |
High
|
Thierry Carrez | ||
Bug Description
Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before.
To recreate
0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_
In localrc,
enable_service ldap
KEYSTONE_
KEYSTONE_
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd
+------
| Property | Value |
+------
| email | |
| enabled | True |
| id | 3b71182dc36e45c
| name | blktest1 |
+------
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
| afe23e7955704cc
+------
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c
- Strangely says user not found rather than role not assigned.
CVE References
| Changed in keystone: | |
| assignee: | nobody → Brant Knudson (blk-u) |
Fix proposed to branch: master
Review: https:/
| Changed in keystone: | |
| status: | New → In Progress |
| tags: | added: havana-backport-potential |
| description: | updated |
| Changed in keystone: | |
| importance: | Undecided → Critical |
| information type: | Public → Public Security |
| Changed in keystone: | |
| assignee: | Brant Knudson (blk-u) → Dolph Mathews (dolph) |
| Changed in ossa: | |
| status: | New → Incomplete |
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit b17e7bec768bd53
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500
Enhance tests for deleting a role not assigned
There wasn't a test that showed what happens when a role is
deleted that was never assigned.
Change-Id: I2845e3f03dc8e8
Related-bug: #1242855
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit c6800ca1ac984c8
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:31:23 2013 -0500
Fix remove role assignment adds role using LDAP assignment
When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.
This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.
Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
Fix proposed to branch: stable/havana
Review: https:/
Fix proposed to branch: stable/grizzly
Review: https:/
| Changed in keystone: | |
| assignee: | Dolph Mathews (dolph) → Brant Knudson (blk-u) |
| tags: | added: grizzly-backport-potential |
| tags: | removed: grizzly-backport-potential havana-backport-potential |
I think that would warrant an OSSA alright.
| Changed in ossa: | |
| importance: | Undecided → High |
| status: | Incomplete → Confirmed |
| Thierry Carrez (ttx) wrote : | #8 |
Proposed impact description:
=======
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana
Description:
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=======
| Changed in ossa: | |
| assignee: | nobody → Thierry Carrez (ttx) |
| status: | Confirmed → Triaged |
| Brant Knudson (blk-u) wrote : | #9 |
ttx - could you change the reporter to "The IBM OpenStack test team" -- it was our test team that discovered it.
Also, suggest change "An user" to "A user" since that reads better to me.
Otherwise looks good.
| Dolph Mathews (dolph) wrote : | #10 |
The "Under certain conditions," can probably be removed if you also change "may" to "will" in that sentence -- the rest of the sentence describes the condition pretty accurately :)
| Thierry Carrez (ttx) wrote : | #11 |
The "under certain conditions" was to account for "the role must not have been granted to anyone on the tenant before".
Let's keep "may" but remove "under certain conditions" then:
=======
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana
Description:
The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=======
| Thierry Carrez (ttx) wrote : | #12 |
CVE publicly requested at http://
| Changed in ossa: | |
| status: | Triaged → In Progress |
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: stable/grizzly
commit 82dcde08f60c450
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500
Fix remove role assignment adds role using LDAP assignment
When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.
This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.
Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a
(cherry picked from commit c6800ca1ac984c8
(cherry picked from commit b17e7bec768bd53
(cherry picked from commit 4221b6020e6b0b4
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: stable/havana
commit 4221b6020e6b0b4
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500
Fix remove role assignment adds role using LDAP assignment
When using the LDAP assignment backend, attempting to remove a
role assignment when the role hadn't been used before would
actually add the role assignment and would not return a
404 Not Found like the SQL backend.
This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.
Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a
(cherry picked from commit c6800ca1ac984c8
(cherry picked from commit b17e7bec768bd53
CVE-2013-4477
| Thierry Carrez (ttx) wrote : | #16 |
[OSSA 2013-028]
| Changed in ossa: | |
| status: | In Progress → Fix Released |
| summary: |
- Removing role adds role with LDAP backend + [OSSA 2013-028] Removing role adds role with LDAP backend |
| Matthew Thode (prometheanfire) wrote : | #17 |
was this backported to folsom (as it is still supported)
Fix proposed to branch: stable/folsom
Review: https:/
| Brant Knudson (blk-u) wrote : | #19 |
The fix proposed to stable/folsom was abandoned because the release is no longer supported.
| Brant Knudson (blk-u) wrote : | #20 |
| Changed in keystone: | |
| milestone: | none → icehouse-1 |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | icehouse-1 → 2014.1 |
Related fix proposed to branch: master
Review: https:/