[OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Steven Hardy | ||
Grizzly |
Fix Released
|
Critical
|
Dolph Mathews | ||
Havana |
Fix Released
|
Critical
|
Steven Hardy | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley |
Bug Description
So I finally got around to investigating the scenario I mentioned in https:/
Steps to reproduce:
- Trustor creates a trust delegating a subset of roles
- Trustee gets a token scoped to that trust
- Trustee creates an ec2-keypair
- Trustee makes a request to the ec2tokens API, to validate a signature created with the keypair
- ec2tokens API returns a new token, which is not scoped to the trust and enables access to all the trustor's roles.
I can provide some test code which demonstrates the issue.
Changed in keystone: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
Changed in ossa: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in keystone: | |
assignee: | nobody → Steven Hardy (shardy) |
summary: |
ec2tokens API doesn't handle trust-scoped tokens correctly + (CVE-2013-6391) |
Changed in ossa: | |
assignee: | Thierry Carrez (ttx) → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in keystone: | |
assignee: | Jeremy Stanley (fungi) → Steven Hardy (shardy) |
summary: |
- ec2tokens API doesn't handle trust-scoped tokens correctly + [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → icehouse-2 |
status: | Fix Committed → Fix Released |
tags: | removed: in-stable-grizzly |
Changed in keystone: | |
milestone: | icehouse-2 → 2014.1 |
So, looking into this a bit more, it seems that we need to implement something similar to https:/ /review. openstack. org/#/c/ 40444/ to fix this.
Currently the token in the ec2 controller is generated with the user_id and no knowledge of trusts. There are some issues with that patch atm though, looks like it still needs significant work.