OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keystone | Openstack | 2013.2 (including) | 2013.2.4 (excluding) |
| Keystone | Openstack | 2014.1 (including) | 2014.1.2 (excluding) |
| OpenStack 3 for RHEL 6 | RedHat | openstack-keystone-0:2013.1.5-3.el6ost | * |
| OpenStack 4 for RHEL 6 | RedHat | openstack-keystone-0:2013.2.3-7.el6ost | * |
| Keystone | Ubuntu | saucy | * |
| Keystone | Ubuntu | trusty | * |
| Keystone | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.html
- http://secunia.com/advisories/57886
- http://secunia.com/advisories/59547
- http://www.openwall.com/lists/oss-security/2014/06/12/3
- http://www.securityfocus.com/bid/68026
- https://bugs.launchpad.net/keystone/+bug/1324592
- http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.html
- http://secunia.com/advisories/57886
- http://secunia.com/advisories/59547
- http://www.openwall.com/lists/oss-security/2014/06/12/3
- http://www.securityfocus.com/bid/68026
- https://bugs.launchpad.net/keystone/+bug/1324592