[OSSA 2014-015] User gets group auth if same id (CVE-2014-0204)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
If a user has the same ID as a group and that group has roles granted to it, the user gets the roles (even if they're not in the group).
Note that Keystone typically assigns IDs and with uuid4 you're not going to get a user with the same ID as a group, but some setups use LDAP so the IDs come from the LDAP entries.
Here's instructions on how to recreate:
1) Start with LDAP system (set up with devstack)
2) Create a user with an id of suspectid
$ ldapadd -D "cn=Manager,
dn: cn=suspectid,
objectclass: inetorgperson
sn: suspect
userPassword: blkpwd
3) Create a group with an id of suspectid
$ ldapadd -D "cn=Manager,
dn: cn=suspectid,
objectclass: groupOfNames
ou: suspect
member: cn=dumb,
$ openstack --os-identity-api=3 --os-auth-url http://
4) Grant a role to the group on a project
$ openstack --os-identity-api=3 --os-auth-url http://
5) Get a token as the user, notice that the user has the group's access.
$ curl -s \
-H "Content-Type: application/json" \
-d '
{ "auth": {
"passwordCr
"username": "suspect",
"password": "blkpwd"
},
"tenantName": "demo"
}
}' \
http://
---
{
}
],
CVE References
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
summary: |
- User gets group auth if same id + User gets group auth if same id (CVE-2014-0204) |
Changed in ossa: | |
status: | Triaged → In Progress |
Changed in keystone: | |
status: | Confirmed → In Progress |
information type: | Private Security → Public Security |
summary: |
- User gets group auth if same id (CVE-2014-0204) + [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204) |
Changed in keystone: | |
assignee: | Brant Knudson (blk-u) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Brant Knudson (blk-u) |
tags: | removed: icehouse-backport-potential |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-1 → 2014.2 |
I suppose this would also be possible with a SQL identity backend, but the odds of a collision between system-assigned UUIDs is astronomically low. If this is due to the assignment SQL refactor, this should only affect master & icehouse - not havana.