Bugzilla – Bug 855338
VUL-0: CVE-2013-6391: openstack-keystone: trust circumvention through EC2-style tokens
Last modified: 2014-07-07 15:35:41 UTC
Public via oss-security: OpenStack Security Advisory: 2013-032 CVE: CVE-2013-6391 Date: December 11, 2013 Title: Keystone trust circumvention through EC2-style tokens Reporter: Steven Hardy (Red Hat) Products: Keystone Affects: Havana and later Description: Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected. Icehouse (development branch) fix: https://review.openstack.org/61419 Havana fix: https://review.openstack.org/61425 Notes: This fix will be included in the icehouse-2 development milestone and in a future 2013.2.1 release. References: http://comments.gmane.org/gmane.comp.security.oss.general/11674 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6391 https://bugzilla.redhat.com/show_bug.cgi?id=1039164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6391 https://launchpad.net/bugs/1242597
bugbot adjusting priority
Same bug as https://bugzilla.novell.com/show_bug.cgi?id=857172 ?
CVE-2013-6391: CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N): Permissions, Privileges, and Access Control (CWE-264)
(In reply to comment #2) > Same bug as https://bugzilla.novell.com/show_bug.cgi?id=857172 ? Yes, same CVE-ID.
Currently in staging. Fix is already part of Cloud-3 GMC, only the bnc / cve number was added late (sr#31171). Maybe part of the first update. For Cloud-2, we need an update.
This is an autogenerated message for OBS integration: This bug (855338) was mentioned in https://build.opensuse.org/request/show/215547 Factory / openstack-keystone
I think, tonight's mkcloud tests failed from this change arriving in D:C:2.0:Staging http://river.suse.de/view/Cloud/view/Worker/job/openstack-mkcloud/3965/ 2014-01-30 03:55:02 + crowbar keystone proposal commit default 2014-01-30 03:55:26 RuntimeError 2014-01-30 03:55:26 ------------ 2014-01-30 03:55:26 Failed to talk to keystone in _create_item 2014-01-30 03:55:27 2014-01-30 03:55:27 Cookbook Trace: 2014-01-30 03:55:27 --------------- 2014-01-30 03:55:27 /var/chef/cache/cookbooks/keystone/providers/register.rb:318:in `_create_item' 2014-01-30 03:55:27 /var/chef/cache/cookbooks/keystone/providers/register.rb:211:in `class_from_file' 2014-01-30 03:55:27 2014-01-30 03:55:27 Resource Declaration: 2014-01-30 03:55:27 --------------------- 2014-01-30 03:55:27 # In /var/chef/cache/cookbooks/keystone/recipes/server.rb 2014-01-30 03:55:27 2014-01-30 03:55:27 405: keystone_register "add default ec2 creds for #{args[1]}:#{args[0]}" do 2014-01-30 03:55:27 406: protocol node[:keystone][:api][:protocol] 2014-01-30 03:55:27 407: host my_admin_host 2014-01-30 03:55:27 408: port node[:keystone][:api][:admin_port] 2014-01-30 03:55:27 409: token node[:keystone][:service][:token] 2014-01-30 03:55:27 410: user_name args[0] 2014-01-30 03:55:27 411: tenant_name args[1] 2014-01-30 03:55:27 412: action :add_ec2 2014-01-30 03:55:27 413: end 2014-01-30 03:55:27 414: end 2014-01-30 03:55:27 2014-01-30 03:55:27 Compiled Resource: 2014-01-30 03:55:27 ------------------ 2014-01-30 03:55:27 # Declared in /var/chef/cache/cookbooks/keystone/recipes/server.rb:405:in `from_file' 2014-01-30 03:55:27 2014-01-30 03:55:27 keystone_register("add default ec2 creds for admin:admin") do 2014-01-30 03:55:27 tenant_name "admin" 2014-01-30 03:55:27 port 35357 2014-01-30 03:55:27 retries 0 2014-01-30 03:55:27 recipe_name "server" 2014-01-30 03:55:27 token "002406516472" 2014-01-30 03:55:27 host "d52-54-02-77-77-02.virtual.cloud.suse.de" 2014-01-30 03:55:27 cookbook_name "keystone" 2014-01-30 03:55:27 protocol "http" 2014-01-30 03:55:27 user_name "admin" 2014-01-30 03:55:27 retry_delay 2 2014-01-30 03:55:27 action [:add_ec2] 2014-01-30 03:55:27 end
problem goes away when dropping /usr/lib64/python2.6/site-packages/keystone/contrib/ec2/core.py:211 # Disallow trust-scoped tokens from creating credentials. self._assert_not_trust_scoped(context)
Well, that's exactly the upstream fix :-) https://bugs.launchpad.net/keystone/+bug/1263804 comment #1 indicates we likely shouldn't be doing it this way anyway. Does the admin really need an EC2 token or is it sufficient to only create one for the default user "crowbar" if at all?
We should backport https://github.com/crowbar/barclamp-keystone/pull/153 then, I guess.
That would be https://github.com/crowbar/barclamp-keystone/pull/166, gonna have to test it though.
This is an autogenerated message for OBS integration: This bug (855338) was mentioned in https://build.opensuse.org/request/show/220359 Factory / openstack-keystone
https://build.suse.de/request/show/35310 openstack-keystone might need updated crowbar-barclamp-keystone
The SWAMPID for this issue is 56887. This issue was rated as moderate. Please submit fixed packages until 2014-04-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.