Domain Admins possibility for privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Today we tested the Domain Admin functionality in Keystone, here is what we set up for our test:
- a new additional Domain called "test" next to default
- a new group for the domain admins of the new domain called "test-admins"
- a new user in the "test" domain that we added to the group "test-admins"
- a new project called "admin" in the "test" domain
We then just added a admin role for the "test-admins" group to the "test" domain:
openstack role add --domain test --group test-admins admin
After that the user was just able to list the users and projects of the new "test" domain and the permissions looked like we would expect for a Domain Admin.
We then were able to add the following role with the new domain admin user:
"openstack role add --group test-admins --project 8c4c0c4a01fe4c0
(ID is from the "admin" project in the "test" domain)
After that we added the following lines to our rc file:
export OS_PROJECT_
export OS_PROJECT_
With the admin role in the admin project of the new domain the user now is able to list the users of all domains, create new domains, and so on. For us it looks like we gained Cloud Admin privileges.
We tested this in Keystone Ussuri. And it also is reproducible in Wallaby.
We are unsure if that is actually a privilege escalation issue or if we have something that is configured wrong on our side. Thanks in advance for any help, we can provide further information if needed.
Regards
Simon
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.