← Back to team overview

openstack team mailing list archive

[OSSA 2013-005] Keystone EC2-style authentication accepts disabled user/tenants (CVE-2013-0282)

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-005
CVE: CVE-2013-0282
Date: February 19, 2013
Keystone EC2-style authentication accepts disabled user/tenants
Reporter: Nathanael Burton (National Security Agency)
Products: Keystone
Affects: All versions

Description:
Nathanael Burton reported a vulnerability in EC2-style authentication in
Keystone. Keystone fails to check whether a user, tenant, or domain is
enabled before authenticating a user using the EC2 api. Authenticated,
but disabled users (or authenticated users in disabled tenants or
domains) could therefore retain access rights that were thought removed.
Only setups enabling EC2-style authentication are affected. To disable
EC2-style authentication to work around the issue, remove the EC2
extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone
API pipeline in keystone.conf.

Grizzly (development branch) fix:
https://review.openstack.org/#/c/22319/

Folsom fix:
https://review.openstack.org/#/c/22320/

Essex fix:
https://review.openstack.org/#/c/22321/

References:
https://bugs.launchpad.net/keystone/+bug/1121494
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRI7nbAAoJEFB6+JAlsQQjGHgP/2yHBH4Yvzl3Q0P4oMr2Vskb
9xroi6sEQTgP/KaidIiV2lORdgSqYZZlylW3EbHnR1Io9natqCLfYkkEdpagTUxM
WcYXAJtBHbHN+hpeGiYojPsV1LmgIX81UrausX1k5U1ZtFkvOhrfhcXWPOozREkM
WwhYjaGl14dmIusE7h0uY7VNTiQMI9LAft18OfJMNFTwA/FmkxlPO/Jea8CUwDIl
LSLv+MRFw2M01TnsAYlnFsa9O7175q2DpNPCqXYjh38ewNBJHuArtuASkA7hHrMA
wYUzAS3lho9WuGVG/GwZk1V//GQhpzn/VWxRCmuOS3tpwTksbkXF36kwOnP5Vu5N
uo9jLBAovHIqfr0QGXGYMXA9Bu9jW5geUIuDNvpKkAFIiQVS3JcDWsqsu7otgjHY
HKUKmYF66BAJmmaM7aXPswGs61B6F3SLIZCneOp9N8PnT3PCR57++zMEjEWBYuLw
E4BDKPa1k2Q822hxWizhXAmkfc5t+AVk2kKPa9a5sMY2oNNrqtRR4+jMjXiS9CmU
gQs9VbXrmMy577zcCkzj7ci7fY0iFUtHW7PhFKUpHf2Mpr2/vLwc4p8g5da8bTwU
2swDuJ/KPsd66oEYjQW0CGBymMTkmbZWUX4InAj1ZynESW46cb/CAaS8oGk2I6dC
F3MMfAjNkfhO9srLLNoC
=fWOa
-----END PGP SIGNATURE-----