[OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Boris Bobrov | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Tristan Cacqueray |
Bug Description
Keystone stable/ocata. Federation is used with the following mapping: http://
User admin@Default, with role admin in project admin@Default wants to do something for project "Dev project for <email address hidden>". admin@Default assigns themselves role admin on the project (openstack role assign --user admin --user-domain Default --project-id <id for Dev project for unprivileged@> admin)
At this point, if federated user "<email address hidden>" gets a new token by going through federation and then scopes the token, they get a token with role admin. Here is an example of such token: http://
There is no record about unprivileged user having role admin in the database. This assignment is not displayed in `openstack role assignment list`. The assignment only gets effective when a scoped token is requested.
Workaround for the issue is to remove role admin from admin@Default on project "Dev project for unpriveledged@". Unprivileged user immediately loses admin privileges; the token is still valid, but there is no role "admin" in GET /v3/auth/tokens .
CVE References
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
status: | Incomplete → In Progress |
summary: |
- federated user gets wrong role + federated user gets wrong role (CVE-2017-2673) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
importance: | Undecided → Critical |
description: | updated |
information type: | Private Security → Public |
summary: |
- federated user gets wrong role (CVE-2017-2673) + [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) |
To use this vulnerability, attacker can ask admin get a role in their project (hey admin@Default, could you please have a look at instances in my project?) and get all admin privileges as soon as admin assigns themselves role at attacker's project.