[OSSA 2013-028] Removing role adds role with LDAP backend

Bug #1242855 reported by Brant Knudson on 2013-10-21
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Keystone
Critical
Brant Knudson
Grizzly
Critical
Brant Knudson
Havana
Critical
Brant Knudson
OpenStack Security Advisory
High
Thierry Carrez

Bug Description

Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before.

To recreate

0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND):

In localrc,
 enable_service ldap
 KEYSTONE_IDENTITY_BACKEND=ldap
 KEYSTONE_ASSIGNMENT_BACKEND=ldap

1) set up environment with OS_USERNAME=admin

export OS_USERNAME=admin
...

2) Create a new user, give admin role, list roles:

$ keystone user-create --name blktest1 --pass blkpwd
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 3b71182dc36e45c6be4733d508201694 |
| name | blktest1 |
+----------+----------------------------------+

$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+

3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- Expected to fail with 404, but it doesn't!

4) List roles as that user:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+

- Expected to not include the role that was just removed!

5) Remove the role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- No errors, which I guess is expected since list just said they had the role...

6) List roles, and now it's gone:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+

7) Remove role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)

- Strangely says user not found rather than role not assigned.

CVE References

Brant Knudson (blk-u) on 2013-10-21
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)

Fix proposed to branch: master
Review: https://review.openstack.org/53012

Changed in keystone:
status: New → In Progress
Brant Knudson (blk-u) on 2013-10-21
tags: added: havana-backport-potential
Brant Knudson (blk-u) on 2013-10-22
description: updated
Dolph Mathews (dolph) on 2013-10-22
Changed in keystone:
importance: Undecided → Critical
Dolph Mathews (dolph) on 2013-10-22
information type: Public → Public Security
Changed in keystone:
assignee: Brant Knudson (blk-u) → Dolph Mathews (dolph)
Thierry Carrez (ttx) on 2013-10-22
Changed in ossa:
status: New → Incomplete

Reviewed: https://review.openstack.org/53010
Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa
Submitter: Jenkins
Branch: master

commit b17e7bec768bd53d3977352486378698a3db3cfa
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

    Enhance tests for deleting a role not assigned

    There wasn't a test that showed what happens when a role is
    deleted that was never assigned.

    Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506
    Related-bug: #1242855

Reviewed: https://review.openstack.org/53012
Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0
Submitter: Jenkins
Branch: master

commit c6800ca1ac984c879e75826df6694d6199444ea0
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:31:23 2013 -0500

    Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

    This change makes it so that when attempt to remove a role that
    wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3

Changed in keystone:
status: In Progress → Fix Committed
Brant Knudson (blk-u) on 2013-10-22
Changed in keystone:
assignee: Dolph Mathews (dolph) → Brant Knudson (blk-u)
tags: added: grizzly-backport-potential
Dolph Mathews (dolph) on 2013-10-22
tags: removed: grizzly-backport-potential havana-backport-potential

I think that would warrant an OSSA alright.

Changed in ossa:
importance: Undecided → High
status: Incomplete → Confirmed
Thierry Carrez (ttx) wrote :

Proposed impact description:

=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana

Description:
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================

Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → Triaged
Brant Knudson (blk-u) wrote :

ttx - could you change the reporter to "The IBM OpenStack test team" -- it was our test team that discovered it.

Also, suggest change "An user" to "A user" since that reads better to me.

Otherwise looks good.

Dolph Mathews (dolph) wrote :

The "Under certain conditions," can probably be removed if you also change "may" to "will" in that sentence -- the rest of the sentence describes the condition pretty accurately :)

Thierry Carrez (ttx) wrote :

The "under certain conditions" was to account for "the role must not have been granted to anyone on the tenant before".
Let's keep "may" but remove "under certain conditions" then:

=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana

Description:
The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================

Thierry Carrez (ttx) wrote :
Changed in ossa:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/53154
Committed: http://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc
Submitter: Jenkins
Branch: stable/grizzly

commit 82dcde08f60c45002955875664a3cf82d1d211bc
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

    Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

    This change makes it so that when attempt to remove a role that
    wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
    (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
    (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
    (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)

Reviewed: https://review.openstack.org/53146
Committed: http://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0
Submitter: Jenkins
Branch: stable/havana

commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

    Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

    This change makes it so that when attempt to remove a role that
    wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
    (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
    (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)

Thierry Carrez (ttx) wrote :

[OSSA 2013-028]

Changed in ossa:
status: In Progress → Fix Released
summary: - Removing role adds role with LDAP backend
+ [OSSA 2013-028] Removing role adds role with LDAP backend
Matthew Thode (prometheanfire) wrote :

was this backported to folsom (as it is still supported)

Brant Knudson (blk-u) wrote :

The fix proposed to stable/folsom was abandoned because the release is no longer supported.

Thierry Carrez (ttx) on 2013-12-04
Changed in keystone:
milestone: none → icehouse-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in keystone:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers