[openstack-dev] [OSSN 0062] Potential reuse of revoked Identity tokens

Nathan Kinder nkinder at redhat.com
Wed Dec 16 01:59:05 UTC 2015

Hash: SHA256

Potential reuse of revoked Identity tokens
- ---

### Summary ###
An authorization token issued by the Identity service can be revoked,
which is designed to immediately make that token invalid for future use.
When the PKI or PKIZ token providers are used, it is possible for an
attacker to manipulate the token contents of a revoked token such that
the token will still be considered to be valid.  This can allow
unauthorized access to cloud resources if a revoked token is intercepted
by an attacker.

### Affected Services / Software ###
Keystone, Icehouse, Juno, Kilo, Liberty

### Discussion ###
Token revocation is used in OpenStack to invalidate a token for further
use.  This token revocation takes place automatically in certain
situations, such as when a user logs out of the Dashboard.  If a revoked
token is obtained by another party, it should no longer be possible to
use it to perform any actions within the cloud.  Unfortunately, this is
not the case when the PKI or PKIZ token providers are used.

When a PKI or PKIZ token is validated, the Identity service checks it
by searching for a revocation by the entire token.  It is possible for
an attacker to manipulate portions of an intercepted PKI or PKIZ token
that are not cryptographically protected, which will cause the
revocation check to improperly consider the token to be valid.

### Recommended Actions ###
We recommend that you do not use the PKI or PKIZ token providers.  The
PKI and PKIZ token providers do not offer any significant benefit over
other token providers such as the UUID or Fernet.

If you are using the PKI or PKIZ token providers, it is recommended that
you switch to using another supported token provider such as the UUID
provider.  This issue might be fixed in a future update of the PKI and
PKIZ token providers in the Identity service.

To check what token provider you are using, you must look in the
'keystone.conf' file for your Identity service.  An example is provided

- ---- begin keystone.conf sample snippet ----
#provider = keystone.token.providers.pki.Provider
#provider = keystone.token.providers.pkiz.Provider
provider = keystone.token.providers.uuid.Provider
- ---- end keystone.conf sample snippet ----

In the Liberty release of the Identity service, the token provider
configuration is different than previous OpenStack releases.  An
example from the Libery release is provided below:

- ---- begin keystone.conf sample snippet ----
#provider = pki
#provider = pkiz
provider = uuid
- ---- end keystone.conf sample snippet ----

These configuration snippets are using the UUID token provider.  If you
are using any of the commented out settings from these examples, your
cloud is vulnerable to this issue and you should switch to a different
token provider.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0062
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/149080
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: CVE-2015-7546
Version: GnuPG v2


More information about the OpenStack-dev mailing list