Re: [OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING)

7 May 2020

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
======================================================================================
OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential
auth method
======================================================================================
:Date: May 06, 2020
:CVE: CVE-2020-12692
Affects
~~~~~~~
- - Keystone: <15.0.1, ==16.0.0
Description
~~~~~~~~~~~
kay reported a vulnerability with keystone's EC2 API. Keystone doesn't
have a signature TTL check for AWS signature V4 and an attacker can
sniff the auth header, then use it to reissue an openstack token an
unlimited number of times.
Errata
~~~~~~
CVE-2020-12692 was assigned after the original publication date.
Patches
~~~~~~~
- - https://review.opendev.org/725385 (Rocky)
- - https://review.opendev.org/725069 (Stein)
- - https://review.opendev.org/724954 (Train)
- - https://review.opendev.org/724746 (Ussuri)
- - https://review.opendev.org/724124 (Victoria)
Credits
~~~~~~~
- - kay (CVE-2020-12692)
References
~~~~~~~~~~
- - https://launchpad.net/bugs/1872737
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12692
Notes
~~~~~
- - The stable/rocky branch is under extended maintenance and will receive
no new
  point releases, but a patch for it is provided as a courtesy.
OSSA History
~~~~~~~~~~~~
- - 2020-05-07 - Errata 1
- - 2020-05-06 - Original Version
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dXoACgkQ56j9K3b+
vREOnxAAtrb94nekVD1bjsjmp2bJsJoN4alwIySMJzDAXp9aU2j23jS3pEixLuBN
lkK6AA7BwKY5HgNtEeWrau+Ri+GOyYlhRMXZy+z+JC6+9qYxdFwcatL6yLYwkrOF
pMREuwbENZMBgl3HgIotJU/RqilZXf+7OLCO9ZaciaYvXkM3e5TswxYme9S+9r57
OQ6veWVEfTTadTK+wp9tZ4RzPcgKAwiCEX2w1uYBCAMrh+GAWFBEiD4J7IEOvs2u
TgnI/znFnQSb1f2CIYENGRevBFRvtILfovMI71rgwgNrof15Z6G6U3PW+yLPFaWg
rqQd3wEmmUPNF/RQdOIngktTXEkQI1DsUkCg/75EZlDVBayUP1qyP1nlK/uAwRoX
w0p6cPS/rREiOuCfCUKJ6tGg8e4/5o55cwbX/Bv/4KQxqCpD5W7XB1y81A0xnwsz
btBZkio3KZZltCST+dNrmLIm3ZxdGQoC+wA+BweaAiMZf2HP8sSOxegDOGhWvBPm
p23fH1kToH6vnGdGnp5SAIEcFg8Cu8LFVovZFHvfaN84XkRyX3Yqc+n88IauF0re
pFf1iegTAArgminNCuTKKswLNgLr5J6SkKH/LTb3/hKgduRabRzKcBreP371fuvP
K5/QCmXEyOT8HbQstWaEXmy9FvDh35lvmXtaKWBhB0LR8kWAY8s=
=fTyp
-----END PGP SIGNATURE-----

On Wed, May 6, 2020 at 2:41 PM Gage Hugo gagehugo@gmail.com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> ======================================================================================
> OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential
> auth method
>
> ======================================================================================
>
> :Date: May 06, 2020
> :CVE: Pending
>
>
> Affects
> ~~~~~~~
> - - Keystone: <15.0.1, ==16.0.0
>
>
> Description
> ~~~~~~~~~~~
> kay reported a vulnerability with keystone's EC2 API. Keystone doesn't
> have a signature TTL check for AWS signature V4 and an attacker can
> sniff the auth header, then use it to reissue an openstack token an
> unlimited number of times.
>
>
> Patches
> ~~~~~~~
> - - https://review.opendev.org/725385 (Rocky)
> - - https://review.opendev.org/725069 (Stein)
> - - https://review.opendev.org/724954 (Train)
> - - https://review.opendev.org/724746 (Ussuri)
> - - https://review.opendev.org/724124 (Victoria)
>
>
> Credits
> ~~~~~~~
> - - kay (CVE Pending)
>
>
> References
> ~~~~~~~~~~
> - - https://launchpad.net/bugs/1872737
> - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
>
>
> Notes
> ~~~~~
> - - The stable/rocky branch is under extended maintenance and will receive
> no new
>   point releases, but a patch for it is provided as a courtesy.
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zEjwACgkQ56j9K3b+
> vRFejhAAvzq3MBwKGXIKsJxQmwVS0RxVFifTAfnKIjBGskG3knWkQHopY0IcmwoZ
> 3Kv2AnRgFVBuQpZ0t9Y3S3U7KRI63FT+kzA3gy9sB+h7rdqzquxejXvljRMGJlex
> WRCOQwRP4prFpzpUqzBg9/bIAyWpkrjJIvz7iJ9U3z6MbrZIjV+YEZ3JIRQTdMUj
> MajgwJ4EDynkh8trm63n7Gyuvq8ukj1FCrG1APWJi96HhwNz6XwiqXIWci4CTaEW
> sY9v8luETMCyv+nY2pt9IF8wXOaJKJXPTilf6sisjN2zDq+UWgsxEC0sp3h09tnZ
> m6cy3OvUQeDmdJVQ/VNsfUTeRYRvYri2u44FaOUBjsNxeZca1U4MCVkAiN9BBzkg
> k1Xb8zgGoXaytT/lzzyr67h6ZghKm6cnSUktWnX56847byOMPi/g9q1cu0edUwwC
> 7SDaQ08JbsEstiXtPVBhatTLxbjlNy5eql6NaZmFQatYJAQKZsasvwV4YBv290mu
> OsVHUEqjmYk4b4CZNPQC2681CDtAQpiLuasYiLnxC6I+zBTwfP+6tzP0xVHW4woi
> 4Jhl/watZMudrtMS3YoOmwZ4iFNJRzQcDWmiAr0CZiC0NGamLjvHWHRslnvmhy92
> kSGWLilaMD5vBODXVY82lQHrbl96dPRbpe8/z29sALsEs6aNFYk=
> =qyBV
> -----END PGP SIGNATURE-----
...