OpenStack Identity (keystone)

[OSSA 2013-028] Removing role adds role with LDAP backend

Bug #1242855 reported by Brant Knudson on 2013-10-21

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Critical	Brant Knudson	OpenStack Identity (keystone) 2014.1 "icehouse"
Grizzly	Fix Released	Critical	Brant Knudson	OpenStack Identity (keystone) 2013.1.5
Havana	Fix Released	Critical	Brant Knudson	OpenStack Identity (keystone) 2013.2.1
OpenStack Security Advisory	Fix Released	High	Thierry Carrez

Bug Description

Using the LDAP assignment backend, if you attempt to remove a role from a user on a tenant and the user doesn't have that role on the tenant then the user is actually granted the role on the tenant. Also, the role must not have been granted to anyone on the tenant before.

To recreate

0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND):

In localrc,
enable_service ldap
KEYSTONE_IDENTITY_BACKEND=ldap
KEYSTONE_ASSIGNMENT_BACKEND=ldap

1) set up environment with OS_USERNAME=admin

export OS_USERNAME=admin
...

2) Create a new user, give admin role, list roles:

$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+

3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- Expected to fail with 404, but it doesn't!

4) List roles as that user:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+

- Expected to not include the role that was just removed!

5) Remove the role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- No errors, which I guess is expected since list just said they had the role...

6) List roles, and now it's gone:

7) Remove role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)

- Strangely says user not found rather than role not assigned.

See original description

CVE References

2013-4477

Brant Knudson (blk-u) on 2013-10-21

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-21: Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/53010

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-21: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/53012

Changed in keystone:
status:	New → In Progress

Brant Knudson (blk-u) on 2013-10-21

tags:

added: havana-backport-potential

Brant Knudson (blk-u) on 2013-10-22

description:

updated

Dolph Mathews (dolph) on 2013-10-22

Changed in keystone:
importance:	Undecided → Critical

Dolph Mathews (dolph) on 2013-10-22

information type:

Public → Public Security

OpenStack Infra (hudson-openstack) on 2013-10-22

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Dolph Mathews (dolph)

Thierry Carrez (ttx) on 2013-10-22

Changed in ossa:
status:	New → Incomplete

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-22: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/53010
Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa
Submitter: Jenkins
Branch: master

commit b17e7bec768bd53d3977352486378698a3db3cfa
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

Enhance tests for deleting a role not assigned

There wasn't a test that showed what happens when a role is
deleted that was never assigned.

Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506
Related-bug: #1242855

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-22: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/53012
Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0
Submitter: Jenkins
Branch: master

commit c6800ca1ac984c879e75826df6694d6199444ea0
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:31:23 2013 -0500

Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.

Closes-Bug: #1242855
Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-22: Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/53146

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-22: Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/53154

Brant Knudson (blk-u) on 2013-10-22

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Brant Knudson (blk-u)
tags:	added: grizzly-backport-potential

Dolph Mathews (dolph) on 2013-10-22

tags:

removed: grizzly-backport-potential havana-backport-potential

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-24: Re: Removing role adds role with LDAP backend

I think that would warrant an OSSA alright.

Changed in ossa:
importance:	Undecided → High
status:	Incomplete → Confirmed

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-24:

Proposed impact description:

=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana

Description:
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================

Changed in ossa:
assignee:	nobody → Thierry Carrez (ttx)
status:	Confirmed → Triaged

Revision history for this message

Brant Knudson (blk-u) wrote on 2013-10-24:

ttx - could you change the reporter to "The IBM OpenStack test team" -- it was our test team that discovered it.

Also, suggest change "An user" to "A user" since that reads better to me.

Otherwise looks good.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-10-24:

#10

The "Under certain conditions," can probably be removed if you also change "may" to "will" in that sentence -- the rest of the sentence describes the condition pretty accurately :)

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-28:

#11

The "under certain conditions" was to account for "the role must not have been granted to anyone on the tenant before".
Let's keep "may" but remove "under certain conditions" then:

=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana

Description:
The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-29:

#12

CVE publicly requested at http://openwall.com/lists/oss-security/2013/10/29/4

Changed in ossa:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-29: Fix merged to keystone (stable/grizzly)

#13

Reviewed: https://review.openstack.org/53154
Committed: http://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc
Submitter: Jenkins
Branch: stable/grizzly

commit 82dcde08f60c45002955875664a3cf82d1d211bc
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

Fix remove role assignment adds role using LDAP assignment

This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
    (cherry picked from commit c6800ca1ac984c879e75826df6694d6199444ea0)
    (cherry picked from commit b17e7bec768bd53d3977352486378698a3db3cfa)
    (cherry picked from commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-29: Fix merged to keystone (stable/havana)

#14

Reviewed: https://review.openstack.org/53146
Committed: http://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0
Submitter: Jenkins
Branch: stable/havana

commit 4221b6020e6b0b42325d8904d7b8a22577a6acc0
Author: Brant Knudson <email address hidden>
Date: Mon Oct 21 15:21:12 2013 -0500

Fix remove role assignment adds role using LDAP assignment

This change makes it so that when attempt to remove a role that
wasn't assigned then 404 Not Found is returned.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-29: Re: Removing role adds role with LDAP backend

#15

CVE-2013-4477

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-10-30:

#16

[OSSA 2013-028]

Changed in ossa:
status:	In Progress → Fix Released
summary:	- Removing role adds role with LDAP backend + [OSSA 2013-028] Removing role adds role with LDAP backend

Revision history for this message

Matthew Thode (prometheanfire) wrote on 2013-11-12:

#17

was this backported to folsom (as it is still supported)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-11-12: Fix proposed to keystone (stable/folsom)

#18

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/56100

Revision history for this message

Brant Knudson (blk-u) wrote on 2013-11-15:

#19

The fix proposed to stable/folsom was abandoned because the release is no longer supported.

Revision history for this message

Brant Knudson (blk-u) wrote on 2013-11-15:

#20

http://lists.openstack.org/pipermail/openstack-stable-maint/2013-November/001707.html

Thierry Carrez (ttx) on 2013-12-04

Changed in keystone:
milestone:	none → icehouse-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-1 → 2014.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.