[openstack-announce] [OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)

Gage Hugo gagehugo at gmail.com
Thu May 7 21:00:17 UTC 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=================================================================================================================
OSSA-2020-004: Keystone credential endpoints allow owner modification and
are not protected from a scoped context
=================================================================================================================

:Date: May 06, 2020
:CVE: CVE-2020-12689,
      CVE-2020-12691


Affects
~~~~~~~
- - Keystone: <15.0.1, ==16.0.0


Description
~~~~~~~~~~~
kay reported two vulnerabilities in keystone's EC2 credentials API.
Any authenticated user could create an EC2 credential for themselves
for a project that they have a specified role on, then perform an
update to the credential user and project, allowing them to masquerade
as another user. (CVE-2020-12691) Any authenticated user within a
limited scope (trust/oauth/application credential) can create an EC2
credential with an escalated permission, such as obtaining admin while
the user is on a limited viewer role. (CVE-2020-12689) Both of these
vulnerabilities potentially allow a malicious user to act as admin on
a project that another user has the admin role on, which can
effectively grant the malicious user global admin privileges.


Errata
~~~~~~
CVE-2020-12689 and CVE-2020-12691 were assigned after the original
publication date.


Patches
~~~~~~~
- - https://review.opendev.org/725895 (Rocky)
- - https://review.opendev.org/725893 (Stein)
- - https://review.opendev.org/725891 (Train)
- - https://review.opendev.org/725888 (Ussuri)
- - https://review.opendev.org/725886 (Victoria)


Credits
~~~~~~~
- - kay (CVE-2020-12689, CVE-2020-12691)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1872733
- - https://launchpad.net/bugs/1872735
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12689
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12691


Notes
~~~~~
- - The stable/rocky branch is under extended maintenance and will receive
no new
  point releases, but a patch for it is provided as a courtesy.


OSSA History
~~~~~~~~~~~~
- - 2020-05-07 - Errata 1
- - 2020-05-06 - Original Version
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYUACgkQ56j9K3b+
vRESOw//YJGlVKCPz7HkUtmyu6RWnpGzSPMoWhzP0HyLLpStMlrFXUKNZsgfXAw3
90vFD6zWSSWn2abJxlyW4JFDtOALKdGEZ0Ml68WSREDdupyOyd+G/ucT01Y95wB2
6nHkoHVvKbhPAI1OeV2haNGp02UUROSLGBT/FtvFnnCAcfAiUfI7+kBbLQgeG50q
/MNQlfaWi0uBxCt/HZg0YqZ3QXIE/LuS2MgFkaQ2+Yr4r9V1M58Wi2pYA1Dkhz6e
J7q/2hDJ1Nn7P4LHUuZEXupR3Ztjrnh5uIO8yr2jSK/r4DawCmRMqT24r7ebS5ZA
/p+JhvV0+StujicmhfPSyY3A24kNHRQCSCOlFn0xF8aN+/VEFT82SOIf+NVuutZb
04wzrp4D3KIrSoulIbXVebAX+lj21qvlaYGwPAkmT8/p7kmj8mGWMlWhqBrCBJIC
OiGd9pUe2GQcRSvBPj2Bex4WZCedvehSkPAiWh1MXFmUAUb2T7iNXNP7BlMd7LZA
gdM4gW6HeFUEysj0vQfSCF+Mu+cB1PAjKZgqgHX7twgu+sOzlCKDlFkQuuzbma3M
abGlfPwVl1v7X/xZ0U7xAwViFCAI+gpqA+Yi1hmMirxzyotUWn/J17AtvhOk3Hms
mwUZiGr41oJhGhX3uSB2Jn0TulA+qhapncuMxG5qDk9Y/ijcpmQ=
=ddr5
-----END PGP SIGNATURE-----

On Wed, May 6, 2020 at 2:48 PM Gage Hugo <gagehugo at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> =================================================================================================================
> OSSA-2020-004: Keystone credential endpoints allow owner modification and
> are not protected from a scoped context
>
> =================================================================================================================
>
> :Date: May 06, 2020
> :CVE: Pending
>
>
> Affects
> ~~~~~~~
> - - Keystone: <15.0.1, ==16.0.0
>
>
> Description
> ~~~~~~~~~~~
> kay reported two vulnerabilities in keystone's EC2 credentials API.
> Any authenticated user could create an EC2 credential for themselves
> for a project that they have a specified role on, then perform an
> update to the credential user and project, allowing them to masquerade
> as another user. (CVE #1 PENDING) Any authenticated user within a
> limited scope (trust/oauth/application credential) can create an EC2
> credential with an escalated permission, such as obtaining admin while
> the user is on a limited viewer role. (CVE #2 PENDING) Both of these
> vulnerabilities potentially allow a malicious user to act as admin on
> a project that another user has the admin role on, which can
> effectively grant the malicious user global admin privileges.
>
>
> Patches
> ~~~~~~~
> - - https://review.opendev.org/725895 (Rocky)
> - - https://review.opendev.org/725893 (Stein)
> - - https://review.opendev.org/725891 (Train)
> - - https://review.opendev.org/725888 (Ussuri)
> - - https://review.opendev.org/725886 (Victoria)
>
>
> Credits
> ~~~~~~~
> - - kay (CVE Pending)
>
>
> References
> ~~~~~~~~~~
> - - https://launchpad.net/bugs/1872733
> - - https://launchpad.net/bugs/1872735
> - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
>
>
> Notes
> ~~~~~
> - - The stable/rocky branch is under extended maintenance and will receive
> no new
>   point releases, but a patch for it is provided as a courtesy.
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zE70ACgkQ56j9K3b+
> vREQsBAAnHZLyrbjSwu7/CEdDVfb0sQZfDvyuXMttzouXQ6ZwEgLFKzc/aFWMjru
> loyst9jAx2pJzvxDfMYO11oU0M5tYFCFxhKsVvu+3ggbcNHeov1s25bPkxE7A2j7
> IYJj9b+bbieYVj1ru3FJjDl3iTae4K73DeHNBCdxTSeahJZdya7hiboA1VJFt4p7
> fNqU3+szsYt/vwspPBi7x+xnZszIMaUw8tVgxzB4KVD6YXbDR9Mp7itH77kGdn8l
> e3OpnURvfaIkPbK6fqE6jjwjQEL/6+Ahffaf4KqvsdjbAcdQRpK0UQrBX+n6DIWd
> TRwV/W7bEy64HrC16W78fcBlegRmEUUM4xNmdll3lwUS5KqfEeM3vXU4Ksfe9tQ2
> 8fDU1hDALcC55+2CMMrdFfmX/MBSTz0HVmP4snaGuoXBL/iQz22OmekFKC1tmXxb
> +vAtOUBsdzphRZn9KWvPIHOFGeuepWb9W0eN594JT2pdHfniLj6EaPrBaN63l7M/
> pu0DTPygN5IdUXv6v/vquQZp50CaN59okmXDNiFkBeHsfaAqhdyjJjRaYvyU62OA
> apjVam8/f2HM0RC0vvpIqv0z0kU55NPCo61dlMZPg6U9JiQd2PzBqvEtDF1lyByF
> vz5e+r9fmtRcgCJIYr0Z7VlOlSMONpITN03oICaexieDTEXDXHc=
> =lSDG
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20200507/93279ff8/attachment-0001.html>


More information about the OpenStack-announce mailing list