[OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)

Bug #1349597 reported by Brant Knudson
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Brant Knudson
Havana
Invalid
High
Unassigned
Icehouse
Fix Released
High
Brant Knudson
OpenStack Security Advisory
Fix Released
High
Tristan Cacqueray

Bug Description

If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.

This is because the code to calculate the fields for a domain-scoped token don't use the domain-scope so that information can't be used when testing against the revocation events.

Revision history for this message
Brant Knudson (blk-u) wrote :

In this case some tokens aren't getting revoked when you'd expect them to be, so this is a security vulnerability.

Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
information type: Public → Public Security
Changed in keystone:
status: New → In Progress
Revision history for this message
Brant Knudson (blk-u) wrote :

This is addressed by these reviews:

https://review.openstack.org/#/c/109820/ - Fix revoking domain-scoped tokens
https://review.openstack.org/#/c/109819/ - Correct revocation event test for domain_id

Changed in keystone:
milestone: none → juno-3
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → High
tags: added: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109819
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c4447f16da036fe878382ce4e1b05b84bdcc4d4e
Submitter: Jenkins
Branch: master

commit c4447f16da036fe878382ce4e1b05b84bdcc4d4e
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 11:21:45 2014 -0500

    Correct revocation event test for domain_id

    The revocation event test used "user_domain_id" and
    "project_domain_id" as token fields that the "domain_id"
    revocation event field maps to, but the token fields are
    actually "identity_domain_id" and "assignment_domain_id", as
    can be seen in
    keystone.contrib.revoke.model.build_token_values().

    Change-Id: I208484da243403287eaa33893d57429c7e6d27c7
    Partial-Bug: #1349597

Revision history for this message
Thierry Carrez (ttx) wrote : Re: Domain-scoped tokens don't get revoked

Sounds legit. Is havana also affected ?

Changed in ossa:
status: New → Confirmed
importance: Undecided → Medium
tags: removed: icehouse-backport-potential
Revision history for this message
Brant Knudson (blk-u) wrote :

Thierry - Havana isn't affected. Revocation events were added in Icehouse.

Revision history for this message
Dolph Mathews (dolph) wrote :

Revocations events also aren't consumed yet - so there's no real effect on stable/icehouse until a future keystonemiddleware is released and the events are consumed.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

As revocation events were not added until Icehouse, havana is not affected.

Revision history for this message
Thierry Carrez (ttx) wrote :

@Brant: could you propose an icehouse backport ? We could try to sneak it in 2014.1.2 planned for later this week...

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
importance: Medium → High
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Title: Domain-scoped tokens don't get revoked
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: 2014.1.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone revocation events. If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked. Only Keystone setups configured to use revocation events are affected.

Revision history for this message
Brant Knudson (blk-u) wrote :

For the impact statement in comment 9, change "invalidated" to "disabled", and remove "and that generates a revocation event", since a domain being disabled will generate a revocation event if revocation events are enabled.

Here's a stab at a rewrite:

Brant Knudson from IBM reported a vulnerability in Keystone revocation events. If a domain is disabled any domain-scoped tokens using that domain will remain valid when they should be invalidated. Only Keystone setups configured to use revocation events are affected.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

@Brant, thanks for corrections!

We are going to handle the OSSA task within this report: https://launchpad.net/bugs/1347961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/109820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3e035ebb726167aef43c4a865c7e7f7d3b0978fb
Submitter: Jenkins
Branch: master

commit 3e035ebb726167aef43c4a865c7e7f7d3b0978fb
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 12:24:11 2014 -0500

    Fix revoking domain-scoped tokens

    A token scoped to a domain wouldn't be revoked for a domain-wide
    revocation event. This is because the code to convert a token to a
    dict for revocation event processing didn't handle domain-scoped
    tokens.

    Partial-Bug: #1349597

    Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d

Thierry Carrez (ttx)
Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/112084

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/icehouse)

Reviewed: https://review.openstack.org/112083
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cccc3f3239c68479de0f6a41bd64badf2a9ec9e7
Submitter: Jenkins
Branch: stable/icehouse

commit cccc3f3239c68479de0f6a41bd64badf2a9ec9e7
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 11:21:45 2014 -0500

    Correct revocation event test for domain_id

    The revocation event test used "user_domain_id" and
    "project_domain_id" as token fields that the "domain_id"
    revocation event field maps to, but the token fields are
    actually "identity_domain_id" and "assignment_domain_id", as
    can be seen in
    keystone.contrib.revoke.model.build_token_values().

    Conflicts:

     keystone/tests/test_revoke.py

    Change-Id: I208484da243403287eaa33893d57429c7e6d27c7
    Partial-Bug: #1349597
    (cherry picked from commit c4447f16da036fe878382ce4e1b05b84bdcc4d4e)

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/112084
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=317f9d34b4da20c21edd5b851889298b67c843e1
Submitter: Jenkins
Branch: stable/icehouse

commit 317f9d34b4da20c21edd5b851889298b67c843e1
Author: Brant Knudson <email address hidden>
Date: Sat Jul 26 12:24:11 2014 -0500

    Fix revoking domain-scoped tokens

    A token scoped to a domain wouldn't be revoked for a domain-wide
    revocation event. This is because the code to convert a token to a
    dict for revocation event processing didn't handle domain-scoped
    tokens.

    Partial-Bug: #1349597

    Change-Id: Ib2c58f3fc8790dbe7f8b073d18d3fa9b0dff608d
    (cherry picked from commit 3e035ebb726167aef43c4a865c7e7f7d3b0978fb)

Thierry Carrez (ttx)
Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx)
Changed in ossa:
status: Triaged → In Progress
summary: - Domain-scoped tokens don't get revoked
+ Domain-scoped tokens don't get revoked (CVE-2014-5253)
summary: - Domain-scoped tokens don't get revoked (CVE-2014-5253)
+ [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)
Changed in ossa:
status: In Progress → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ryan Hsu (<email address hidden>) on branch: master
Review: https://review.openstack.org/121711
Reason: Testing

Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.