[Openstack] [OSSN 0080] Aodh can be used to launder Keystone trusts
Luke Hinds
lhinds at redhat.com
Thu Aug 17 10:58:26 UTC 2017
Aodh can be used to launder Keystone trusts
---
### Summary ###
When adding an alarm action with the scheme `trust+http:` Aodh does not
verify that the user creating the alarm is the trustor or has the same
rights as the trustor, not that the trust is for the same project as the
alarm.
### Affected Services / Software ###
Aodh the alarm engine of the Telemetry project.
Pike, Ocata and Newton
### Discussion ###
When adding an alarm action with the scheme `trust+http:`, Aodh allows
the user to provide a trust ID to acquire a token with which to make a
webhook request. (If no trust ID is provided then Aodh creates a trust
internally, in which case the issue is not present.) However, Aodh makes
no attempt to verify that the user creating the alarm is the trustor or
has the same rights as the trustor - it also does not attempt to check
that the trust is for the same project as the alarm.
The nature of the `trust+http:` alarm notifier is that it allows the
user to obtain a token given the ID of a trust for which Aodh is the
trustee, since the URL is arbitrary and not limited to services in the
Keystone catalog.
### Recommended Actions ###
A patchfile is attached to the launchpad bug referenced below. It will
block use of trust URLs which contain trust ID's and log an error
message of "trust URL cannot contain a trust ID.". Any trust action
without a trust ID will result in Aodh internally creating a trust ID as
before.
You will also need to restart the web server used for Aodh API. This is
typically apache. In cases of eventlet (in older versions) it will
require restart openstack-aodh-api for centos/RHEL/Suse and aodh-api
for ubuntu.
The fix has also been merged to master (Pike), Ocata and Newton.
### Contacts / References ###
Discoverer: Zane Bitter, Red Hat
Author: Luke Hinds, Red Hat
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1649333
OpenStack Security Project : https://launchpad.net/~openstack-ossg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170817/b742a522/attachment.sig>
More information about the Openstack
mailing list