====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN258
_____________________________________________________________________

DATE                : 07/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Keystone versions 15.0.1 uo to and
                                    including 16.0.0.

=====================================================================
https://security.openstack.org/ossa/OSSA-2020-003.html
https://security.openstack.org/ossa/OSSA-2020-004.html
https://security.openstack.org/ossa/OSSA-2020-005.html
_____________________________________________________________________

OSSA-2020-003: Keystone does not check signature TTL of the EC2
credential auth method

Date

    May 06, 2020
CVE

    Pending


Affects¶

    Keystone: <15.0.1, ==16.0.0


Description¶

kay reported a vulnerability with keystone’s EC2 API. Keystone doesn’t
have a signature TTL check for AWS signature V4 and an attacker can
sniff the auth header, then use it to reissue an openstack token an
unlimited number of times.


Patches¶

    https://review.opendev.org/725385 (Rocky)

    https://review.opendev.org/725069 (Stein)

    https://review.opendev.org/724954 (Train)

    https://review.opendev.org/724746 (Ussuri)

    https://review.opendev.org/724124 (Victoria)


Credits¶

    kay (CVE Pending)


References¶

    https://launchpad.net/bugs/1872737

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending

Notes¶

    The stable/rocky branch is under extended maintenance and will
receive no new point releases, but a patch for it is provided as a courtesy.

_____________________________________________________________________


OSSA-2020-004: Keystone credential endpoints allow owner modification
and are not protected from a scoped context

Date

    May 06, 2020
CVE

    Pending


Affects¶

    Keystone: <15.0.1, ==16.0.0


Description¶

kay reported two vulnerabilities in keystone’s EC2 credentials API. Any
authenticated user could create an EC2 credential for themselves for a
project that they have a specified role on, then perform an update to
the credential user and project, allowing them to masquerade as another
user. (CVE #1 PENDING) Any authenticated user within a limited scope
(trust/oauth/application credential) can create an EC2 credential with
an escalated permission, such as obtaining admin while the user is on a
limited viewer role. (CVE #2 PENDING) Both of these vulnerabilities
potentially allow a malicious user to act as admin on a project that
another user has the admin role on, which can effectively grant the
malicious user global admin privileges.


Patches¶

    https://review.opendev.org/725895 (Rocky)

    https://review.opendev.org/725893 (Stein)

    https://review.opendev.org/725891 (Train)

    https://review.opendev.org/725888 (Ussuri)

    https://review.opendev.org/725886 (Victoria)


Credits¶

    kay (CVE Pending)


References¶

    https://launchpad.net/bugs/1872733

    https://launchpad.net/bugs/1872735

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending

Notes¶

    The stable/rocky branch is under extended maintenance and will
receive no new point releases, but a patch for it is provided as a
courtesy.

_____________________________________________________________________

OSSA-2020-005: OAuth1 request token authorize silently ignores roles
parameter

Date

    May 06, 2020
CVE

    Pending

Affects¶

    Keystone: <15.0.1, ==16.0.0


Description¶

kay reported a vulnerability in Keystone’s OAuth1 Token API. The list of
roles provided for an OAuth1 access token are ignored, so when an OAuth1
access token is used to request a keystone token, the keystone token
will contain every role assignment the creator had for the project
instead of the provided subset of roles. This results in the provided
keystone token having more role assignments than the creator intended,
possibly giving unintended escalated access.


Patches¶

    https://review.opendev.org/725894 (Rocky)

    https://review.opendev.org/725892 (Stein)

    https://review.opendev.org/725890 (Train)

    https://review.opendev.org/725887 (Ussuri)

    https://review.opendev.org/725885 (Victoria)


Credits¶

    kay (CVE Pending)


References¶

    https://launchpad.net/bugs/1873290

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending

Notes¶

    The stable/rocky branch is under extended maintenance and will
receive no new point releases, but a patch for it is provided as a courtesy.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================