[Openstack-security] [Bug 1460024] Re: Service can create trust using received token

Jeremy Stanley fungi at yuggoth.org
Mon Jun 1 19:26:58 UTC 2015 

I've switched this bug to public and added a security tag in case
someone wants to make sure it's a behavior we have documented clearly
(in Keystone's docs, deployment manuals, security guide, OSSN,
wherever).

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  It seems possible for a service to create a trust using a token supplied
  by client on an API call.
  
  Use-case:
  
  1. User uses login/password to get a token from keystone.
  2. User creates a client of a service providing the token.
  3. Client uses service API providing the token.
  4. Service creates a trust allowing it to impersonate the user at any time.
  5. The trust is created and the user doesn't know about it.
  
  Don't know whether it bug or a feature, but it doesn't look legitimate
  to me.

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1460024

Title:
  Service can create trust using received token

Status in OpenStack Identity (Keystone):
  Invalid
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  It seems possible for a service to create a trust using a token
  supplied by client on an API call.

  Use-case:

  1. User uses login/password to get a token from keystone.
  2. User creates a client of a service providing the token.
  3. Client uses service API providing the token.
  4. Service creates a trust allowing it to impersonate the user at any time.
  5. The trust is created and the user doesn't know about it.

  Don't know whether it bug or a feature, but it doesn't look legitimate
  to me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1460024/+subscriptions

More information about the Openstack-security mailing list