yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #07116
[Bug 1242597] Re: ec2tokens API doesn't handle trust-scoped tokens correctly (CVE-2013-6391)
** Also affects: keystone/havana
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597
Title:
ec2tokens API doesn't handle trust-scoped tokens correctly
(CVE-2013-6391)
Status in OpenStack Identity (Keystone):
In Progress
Status in Keystone havana series:
In Progress
Status in OpenStack Security Advisories:
Fix Committed
Bug description:
So I finally got around to investigating the scenario I mentioned in
https://review.openstack.org/#/c/40444/, and unfortunately it seems
that the ec2tokens API does indeed provide a way to circumvent the
role delegation provided by trusts, and obtain all the roles of the
trustor user, not just those explicitly delegated.
Steps to reproduce:
- Trustor creates a trust delegating a subset of roles
- Trustee gets a token scoped to that trust
- Trustee creates an ec2-keypair
- Trustee makes a request to the ec2tokens API, to validate a signature created with the keypair
- ec2tokens API returns a new token, which is not scoped to the trust and enables access to all the trustor's roles.
I can provide some test code which demonstrates the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242597/+subscriptions