[OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)

Bug #1349597 reported by Brant Knudson on 2014-07-28
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Brant Knudson
Havana
High
Unassigned
Icehouse
High
Brant Knudson
OpenStack Security Advisory
High
Tristan Cacqueray

Bug Description

If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

This is because the code to calculate the fields for a domain-scoped token don't use the domain-scope so that information can't be used when testing against the revocation events.

Brant Knudson (blk-u) wrote :

In this case some tokens aren't getting revoked when you'd expect them to be, so this is a security vulnerability.

Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
information type: Public → Public Security
Changed in keystone:
status: New → In Progress
Brant Knudson (blk-u) wrote :

This is addressed by these reviews:

https://review.openstack.org/#/c/109820/ - Fix revoking domain-scoped tokens
https://review.openstack.org/#/c/109819/ - Correct revocation event test for domain_id

Changed in keystone:
milestone: none → juno-3
Dolph Mathews (dolph) on 2014-07-28
Changed in keystone:
importance: Undecided → High
tags: added: icehouse-backport-potential

Reviewed: https://review.openstack.org/109819
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4447f16da036fe878382ce4e1b05b84bdcc4d4e
Submitter: Jenkins
Branch: master

commit c4447f16da036fe878382ce4e1b05b84bdcc4d4e
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 11:21:45 2014 -0500

    Correct revocation event test for domain_id

    The revocation event test used "user_domain_id" and
    "project_domain_id" as token fields that the "domain_id"
    revocation event field maps to, but the token fields are
    actually "identity_domain_id" and "assignment_domain_id", as
    can be seen in
    keystone.contrib.revoke.model.build_token_values().

    Change-Id: I208484da243403287eaa33893d57429c7e6d27c7
    Partial-Bug: #1349597

Sounds legit. Is havana also affected ?

Changed in ossa:
status: New → Confirmed
importance: Undecided → Medium
tags: removed: icehouse-backport-potential
Brant Knudson (blk-u) wrote :

Thierry - Havana isn't affected. Revocation events were added in Icehouse.

Dolph Mathews (dolph) wrote :

Revocations events also aren't consumed yet - so there's no real effect on stable/icehouse until a future keystonemiddleware is released and the events are consumed.

Morgan Fainberg (mdrnstm) wrote :

As revocation events were not added until Icehouse, havana is not affected.

Thierry Carrez (ttx) wrote :

@Brant: could you propose an icehouse backport ? We could try to sneak it in 2014.1.2 planned for later this week...

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
importance: Medium → High

Title: Domain-scoped tokens don't get revoked
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: 2014.1.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone revocation events. If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked. Only Keystone setups configured to use revocation events are affected.

Brant Knudson (blk-u) wrote :

For the impact statement in comment 9, change "invalidated" to "disabled", and remove "and that generates a revocation event", since a domain being disabled will generate a revocation event if revocation events are enabled.

Here's a stab at a rewrite:

Brant Knudson from IBM reported a vulnerability in Keystone revocation events. If a domain is disabled any domain-scoped tokens using that domain will remain valid when they should be invalidated. Only Keystone setups configured to use revocation events are affected.

@Brant, thanks for corrections!

We are going to handle the OSSA task within this report: https://launchpad.net/bugs/1347961

Reviewed: https://review.openstack.org/109820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3e035ebb726167aef43c4a865c7e7f7d3b0978fb
Submitter: Jenkins
Branch: master

commit 3e035ebb726167aef43c4a865c7e7f7d3b0978fb
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 12:24:11 2014 -0500

    Fix revoking domain-scoped tokens

    A token scoped to a domain wouldn't be revoked for a domain-wide
    revocation event. This is because the code to convert a token to a
    dict for revocation event processing didn't handle domain-scoped
    tokens.

    Partial-Bug: #1349597

    Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d

Thierry Carrez (ttx) on 2014-08-05
Changed in keystone:
status: In Progress → Fix Committed

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112084

Reviewed: https://review.openstack.org/112083
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cccc3f3239c68479de0f6a41bd64badf2a9ec9e7
Submitter: Jenkins
Branch: stable/icehouse

commit cccc3f3239c68479de0f6a41bd64badf2a9ec9e7
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 11:21:45 2014 -0500

    Correct revocation event test for domain_id

    The revocation event test used "user_domain_id" and
    "project_domain_id" as token fields that the "domain_id"
    revocation event field maps to, but the token fields are
    actually "identity_domain_id" and "assignment_domain_id", as
    can be seen in
    keystone.contrib.revoke.model.build_token_values().

    Conflicts:

     keystone/tests/test_revoke.py

    Change-Id: I208484da243403287eaa33893d57429c7e6d27c7
    Partial-Bug: #1349597
    (cherry picked from commit c4447f16da036fe878382ce4e1b05b84bdcc4d4e)

tags: added: in-stable-icehouse

Reviewed: https://review.openstack.org/112084
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=317f9d34b4da20c21edd5b851889298b67c843e1
Submitter: Jenkins
Branch: stable/icehouse

commit 317f9d34b4da20c21edd5b851889298b67c843e1
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 12:24:11 2014 -0500

    Fix revoking domain-scoped tokens

    A token scoped to a domain wouldn't be revoked for a domain-wide
    revocation event. This is because the code to convert a token to a
    dict for revocation event processing didn't handle domain-scoped
    tokens.

    Partial-Bug: #1349597

    Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
    (cherry picked from commit 3e035ebb726167aef43c4a865c7e7f7d3b0978fb)

Thierry Carrez (ttx) on 2014-08-07
Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx) on 2014-08-11
Changed in ossa:
status: Triaged → In Progress
summary: - Domain-scoped tokens don't get revoked
+ Domain-scoped tokens don't get revoked (CVE-2014-5253)
summary: - Domain-scoped tokens don't get revoked (CVE-2014-5253)
+ [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)
Changed in ossa:
status: In Progress → Fix Released
Thierry Carrez (ttx) on 2014-09-04
Changed in keystone:
status: Fix Committed → Fix Released

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx) on 2014-10-16
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers