Bug 848066 (CVE-2013-4477)

Summary: VUL-0: CVE-2013-4477: openstack-keystone: Unintentional role granting with Keystone LDAP backend
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, vuntz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:55534
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2013-10-29 12:53:22 UTC 
via oss-sec


From: Thierry Carrez | 29 Oct 2013 11:40 
Subject: CVE request for a vulnerability in OpenStack Keystone


A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public,
although an advisory was not sent yet.

"""
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana

Description:
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.
"""

References:
https://bugs.launchpad.net/keystone/+bug/1242855

Thanks in advance,

http://comments.gmane.org/gmane.comp.security.oss.general/11385
Comment 1 Marcus Meissner 2013-10-29 15:59:54 UTC 
CVE-2013-4477
Comment 2 Marcus Meissner 2013-10-29 16:52:48 UTC 
A vulnerability was fixed publicly in OpenStack Keystone recently, and
we think it warrants a security advisory to make sure everyone is aware
of it.

We obviously can't embargo anything here since the issue (and its fix)
are public already, but we figured you would still appreciate a day
heads-up before we publish the advisory and attract the rest of the
world attention on the issue.

Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: All supported versions

Description:
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.

Icehouse (development branch) fix:
https://review.openstack.org/53012

Havana fix:
https://review.openstack.org/53146

Grizzly fix:
https://review.openstack.org/53154

Patches are also attached for your convenience.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477
https://bugs.launchpad.net/keystone/+bug/1242855

Regards,

-- 
Thierry Carrez
OpenStack Vulnerability Management Team
Comment 3 Swamp Workflow Management 2013-10-29 23:00:23 UTC 
bugbot adjusting priority
Comment 4 Vincent Untz 2013-11-21 14:46:05 UTC 
Sascha: here are the latest security issues we have.
Comment 6 Sascha Peilicke 2013-12-06 13:27:41 UTC 
sr#29776
Comment 8 Swamp Workflow Management 2013-12-17 09:26:44 UTC 
The SWAMPID for this issue is 55533.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-31.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Swamp Workflow Management 2014-01-30 17:46:16 UTC 
Update released for: openstack-keystone, openstack-keystone-doc, openstack-keystone-test, python-keystone
Products:
SUSE-CLOUD 2.0 (x86_64)
Comment 10 Swamp Workflow Management 2014-01-30 21:06:02 UTC 
SUSE-SU-2014:0163-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 837800,839876,843443,848066
CVE References: CVE-2013-4222,CVE-2013-4477
Sources used:
SUSE Cloud 2.0 (src):    openstack-keystone-2013.1.5.a2.g82dcde0-0.7.1, openstack-keystone-doc-2013.1.5.a2.g82dcde0-0.7.1
Comment 11 Marcus Meissner 2014-03-26 08:37:25 UTC 
was this fixed pre cloud 3 shipment?
Comment 12 Vincent Untz 2014-03-26 09:08:09 UTC 
(In reply to comment #11)
> was this fixed pre cloud 3 shipment?

Yes; it doesn't appear in .changes because upstream doesn't refer to CVE in commits, though :/
Comment 13 Marcus Meissner 2014-03-28 08:27:30 UTC 
done