[OSSA-2020-004] Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID (CVE-2020-12691)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Colleen Murphy | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
"_build_
Thus even having a '"identity:
curl -X PATCH https:/
"credential": {
"project_id": "_target_
"user_id": "_target_user_id_"
}
}'
Additionally it is possible to Create a credential with any existing project_id, though it doesn't have a serious security issue, e.g.:
{
"credential": {
"blob": "{\"access\": \"ffe6fc21b47c4
"id": "3c2b3265350c6d
"project_id": "_any_project_id_",
"type": "ec2",
"user_id": "_my_user_id_"
}
}
CVE References
Jeremy Stanley (fungi) wrote : | #1 |
description: | updated |
Changed in ossa: | |
status: | New → Incomplete |
kay (kay-diam) wrote : | #2 |
In case, when "/credentials" endpoint is used to store a secret for TOTP (Time-based One-time Password), an attacker can set a TOTP secret for a victim user and it will be used to verify TOTP "passcode" along with all "totp" secrets, associated with a victim user.
Colleen Murphy (krinkle) wrote : | #3 |
Verified. This is a critical issue as it allows any authenticated user to escalate to admin privileges. However, it is mitigated somewhat by the fact that the attacker needs to know or guess the UUID of the admin user and admin project, or the UUIDs of the user and project they are trying to impersonate.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Colleen Murphy (krinkle) wrote : | #4 |
- 0001-Disable-altering-credential-owner-attributes.patch Edit (4.9 KiB, text/plain)
Patch attached. Currently running tempest and unit tests on it locally.
Changed in keystone: | |
assignee: | nobody → Colleen Murphy (krinkle) |
status: | Triaged → In Progress |
Lance Bragstad (lbragstad) wrote : | #5 |
The proposed patch in comment #4 looks good and the unit test covers the exposed behavior.
Gage Hugo (gagehugo) wrote : | #6 |
Thanks cmurphy for the quick fix, looks good and works for me locally.
With the verification here and fix, this is looking like a Class A vulnerability according to the VMT taxonomy[0]. Even with the requirement to know/guess UUIDs, this looks to be something that is exploitable by any authenticated user.
[0] https:/
Kristi Nikolla (knikolla) wrote : | #7 |
Patch in #4 looks good and unit test covers the issue. Was able to reproduce the bug local.
Colleen Murphy (krinkle) wrote : | #8 |
Tempest and py37 unit tests pass for me locally. We will need to backport this to all supported releases. I have backports prepared, but we should wait for the keystone stable/stein branch to be unblocked before proposing them[0].
kay (kay-diam) wrote : | #9 |
Hi Colleen. Could you also add a protection and unit test for create action? It is not so serious, but would be great to have.
As I mentioned in original ticket it is possible to create EC2 credentials with any existing projectID, even if it is a domainID:
curl -X POST https:/
"credential": {
"blob": "{\"access\": \"ffe6fc21b47c4
"id": "3c2b3265350c6d
"project_id": "_any_project_id_",
"type": "ec2",
"user_id": "_my_user_id_"
}
}'
This credential won't be useful, but it would be great to have this protection.
Colleen Murphy (krinkle) wrote : | #10 |
Protecting the POST case is more complicated because not all credential types use project_id and so the credentials policy only checks against the credential's owner, not their scope. Since this behavior is longstanding and can't be exploited to elevate the user's privileges, I'm inclined not to fix it.
Jeremy Stanley (fungi) wrote : | #11 |
Since exploiting this depends on the attacker obtaining a UUID to which they should not normally have access, the VMT would typically consider this a class C1 report:
https:/
As such, it shouldn't warrant the overhead of an embargo process and would be fine finishing in public instead. Does anyone disagree with that assessment?
Jeremy Stanley (fungi) wrote : | #12 |
Oh, now I see Gage's suggestion to treat it as a class A report instead. Gage, what's the scenario where an authenticated user can exploit this without access to the victim's UUID?
Gage Hugo (gagehugo) wrote : | #13 |
I believe I was thinking that an authenticated user would be able to guess easier than a remote non-authenticated user. I'm fine with classifying this as C1 since it really does depend on UUID guessing.
kay (kay-diam) wrote : | #14 |
In certain OpenStack environments user listing is allowed. As for the project IDs, users just post them in chats/github and don't think it is a secret. I'd not call it "guessing".
Colleen Murphy (krinkle) wrote : | #15 |
Resource UUIDs are often not as carefully protected as other secret information. We have already set a precedent[0] that UUIDs are effectively public.
Kristi Nikolla (knikolla) wrote : | #16 |
In our environment, we allow users with project_admin role to list people in their project. If a user with an admin role is part of the project of a malicious user (maybe to help with some debugging, or an inherited role), this would allow the malicious user to know the UUID of the admin user.
Jeremy Stanley (fungi) wrote : | #17 |
Since it's been suggested that account UUIDs are generally available to untrusted users in some environments, I concur that this is better handled as a class A report and continuing the embargo is unfortunately warranted.
The UUID guessing guidance was added as an example for the C1 report classification in 2015 via https:/
kay (kay-diam) wrote : | #18 |
There are at least two use cases, when project admin user or barbican secret owner needs to know user ID (in certain cases they are provisioned automatically, e.g. by LDAP):
* assign a project role to this user, so he can access the project: https:/
Therefore it is not clear, whether user IDs or project IDs have to be considered as sensitive.
Colleen Murphy (krinkle) wrote : | #19 |
- 0001-Disable-altering-credential-owner-attributes.patch Edit (5.1 KiB, text/plain)
Updated release notes in patch to include bug reference
Colleen Murphy (krinkle) wrote : | #20 |
Is a CVE being requested for this? How can we move this forward?
Gage Hugo (gagehugo) wrote : | #21 |
If we agree that this should be considered a Class A, I can write up an impact description for this.
Gage Hugo (gagehugo) wrote : | #22 |
First draft below, please review:
Assuming that this affects all currently maintained releases of keystone.
Title: Credentials endpoint policy logic allows changing credential owner and target project ID
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0
Description:
kay reported a vulnerability in Keystone's EC2 credentials API. Any authenticated user could create an EC2 credential for themselves for a project that they have a specified role on, then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows the malicious user to act as the admin on a project another user has the admin role on.
Colleen Murphy (krinkle) wrote : | #23 |
> This potentially allows the malicious user to act as the admin on a project another user has the admin role on
... which in many cases can effectively grant the user global admin privileges.
Gage Hugo (gagehugo) wrote : | #24 |
Updated, please review:
Title: Credentials endpoint policy logic allows changing credential owner and target project ID
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0
Description:
kay reported a vulnerability in Keystone's EC2 credentials API. Any authenticated user could create an EC2 credential for themselves for a project that they have a specified role on, then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows the malicious user to act as the admin on a project another user has the admin role on, which can effectively grant the user global admin privileges.
Colleen Murphy (krinkle) wrote : | #25 |
lgtm
Jeremy Stanley (fungi) wrote : | #26 |
Gage's impact description in comment #24 works for me, I think we're set to get a CVE request rolling for this one and propose a disclosure timeline once the stable branch backports are confirmed viable.
Gage Hugo (gagehugo) wrote : | #27 |
Could we get a patch for Stein/Train for this as well?
Waiting on a response for the CVE.
I'd like to propose next Tuesday (May 5th) as the proper disclosure date as well for this. Does that sound reasonable?
Colleen Murphy (krinkle) wrote : | #28 |
Colleen Murphy (krinkle) wrote : | #29 |
Jeremy Stanley (fungi) wrote : | #30 |
May 5 disclosure should work as long as we send a downstream stakeholder notification with the patches for this no later than tomorrow (Friday, May 1).
Jeremy Stanley (fungi) wrote : | #31 |
In retrospect, what with the tight timeline and this being a major holiday weekend for much of the World, let's push the advisory date to Wednesday May 6.
Gage Hugo (gagehugo) wrote : | #32 |
May 6th works, we will still send out the embargo notification today.
Gage Hugo (gagehugo) wrote : | #33 |
Embargo email sent.
Nick Tait (nickthetait) wrote : | #34 |
I support Class A for this. Eagerly awaiting CVE assignment. Simplified the description a little, you are welcome to use this:
kay reported a vulnerability in Keystone's EC2 credentials API. Any authenticated user could create an EC2 credential in a project that they have a specified role on, then modify the credential user and project, allowing them to masquerade as another user. This may enable a malicious user to escalate themselves as an admin which (in some environments) is equivalent to gaining global admin privileges.
Colleen Murphy (krinkle) wrote : | #35 |
- bug-1872733.diff Edit (660 bytes, text/plain)
I've reworked this patch to include fixes for bug 1872733, bug 1872735 and bug 1872755 and to resolve the merge conflict arising from the fix for bug 1872737. These patches are independently appliable but they won't pass unit tests without also applying the fix for 1873290. I've attached them on bug 1872735.
In validating the new version I noticed an error in the solution for this bug, attaching the diff here.
Gage Hugo (gagehugo) wrote : | #36 |
The embargo for this bug has expired, we will be making public and fixes will be available in gerrit here shortly.
description: | updated |
information type: | Private Security → Public Security |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master) | #37 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/ussuri) | #38 |
Fix proposed to branch: stable/ussuri
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train) | #39 |
Fix proposed to branch: stable/train
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/stein) | #40 |
Fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/rocky) | #41 |
Fix proposed to branch: stable/rocky
Review: https:/
Changed in ossa: | |
status: | Incomplete → In Progress |
OpenStack Infra (hudson-openstack) wrote : Fix merged to ossa (master) | #42 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 2548f46b0aff357
Author: Gage Hugo <email address hidden>
Date: Wed May 6 10:57:15 2020 -0500
Add OSSA-2020-004 (CVEs Pending)
Change-Id: Ide28e91b184eda
Closes-Bug: #1872735
Closes-Bug: #1872733
Changed in ossa: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/pike) | #43 |
Fix proposed to branch: stable/pike
Review: https:/
summary: |
- Keystone V3 /credentials endpoint policy logic allows to change - credentials owner or target project ID + [OSSA-2020-004] Keystone V3 /credentials endpoint policy logic allows to + change credentials owner or target project ID (CVE-2020-12691) |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/ussuri) | #44 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/ussuri
commit 2f2736ebb267c75
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Change-Id: I39d0d705839fbe
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
(cherry picked from commit 37e9907a176dad6
tags: | added: in-stable-ussuri |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master) | #45 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 37e9907a176dad6
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Change-Id: I39d0d705839fbe
Closes-bug: #1872733
Closes-bug: #1872755
Closes-bug: #1872735
Changed in keystone: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/queens) | #46 |
Fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train) | #47 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 54590544fb7a2cd
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9, test helper
in 52da4d0e12):
Depends-on: htt...
tags: | added: in-stable-train |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/stein) | #48 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 206392a40ce3da3
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
Change-Id: I39d0d705839fbe
tags: | added: in-stable-stein |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/rocky) | #49 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 53d1ccb8a1bdbb5
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
Conflicts due to flask reorg:
keys...
tags: | added: in-stable-rocky |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/queens) | #50 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 487c7276c7608fb
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
Conflicts due to flask reorg:
key...
tags: | added: in-stable-queens |
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/pike) | #51 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit a405e4b71d7de31
Author: Colleen Murphy <email address hidden>
Date: Tue Apr 14 16:47:44 2020 -0700
Fix security issues with EC2 credentials
This change addresses several issues in the creation and use of EC2/S3
credentials with keystone tokens.
1. Disable altering credential owner attributes or metadata
Without this patch, an authenticated user can create an EC2 credential
for themself for a project they have a role on, then update the
credential to target a user and project completely unrelated to them. In
the worst case, this could be the admin user and a project the admin
user has a role assignment on. A token granted for an altered credential
like this would allow the user to masquerade as the victim user. This
patch ensures that when updating a credential, the new form of the
credential is one the acting user has access to: if the system admin
user is changing the credential, the new user ID or project ID could be
anything, but regular users may only change the credential to be one
that they still own.
Relatedly, when a user uses an application credential or a trust to
create an EC2 credential, keystone automatically adds the trust ID or
application credential ID as metadata in the EC2 access blob so that it
knows how the token can be scoped when it is used. Without this patch, a
user who has created a credential in this way can update the access blob
to remove or alter this metadata and escalate their privileges to be
fully authorized for the trustor's, application credential creator's, or
OAuth1 access token authorizor's privileges on the project. This patch
fixes the issue by simply disallowing updates to keystone-controlled
metadata in the credential.
2. Respect token roles when creating EC2 credentials
Without this patch, a trustee, an application credential user, or an
OAuth1 access token holder could create an EC2 credential or an
application credential using any roles the trustor, application
credential creator, or access token authorizor had on the project,
regardless of whether the creator had delegated only a limited subset of
roles. This was because the trust_id attribute of the EC2 access blob
was ignored, and no metadata for the application credential or access
token was recorded either. This change ensures that the access
delegation resource is recorded in the metadata of the EC2 credential
when created and passed to the token provider when used for
authentication so that the token provider can look up the correct roles
for the request.
Conflicts (six removal in e2d83ae9, pep8 fixes in e2d83ae9):
Conflicts due to flask reorg:
tags: | added: in-stable-pike |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone pike-eol | #52 |
This issue was fixed in the openstack/keystone pike-eol release.
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone queens-eol | #53 |
This issue was fixed in the openstack/keystone queens-eol release.
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone rocky-eol | #54 |
This issue was fixed in the openstack/keystone rocky-eol release.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.