← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1242597] Re: ec2tokens API doesn't handle trust-scoped tokens correctly (CVE-2013-6391)

 

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597

Title:
  ec2tokens API doesn't handle trust-scoped tokens correctly
  (CVE-2013-6391)

Status in OpenStack Identity (Keystone):
  In Progress
Status in Keystone havana series:
  In Progress
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  So I finally got around to investigating the scenario I mentioned in
  https://review.openstack.org/#/c/40444/, and unfortunately it seems
  that the ec2tokens API does indeed provide a way to circumvent the
  role delegation provided by trusts, and obtain all the roles of the
  trustor user, not just those explicitly delegated.

  Steps to reproduce:
  - Trustor creates a trust delegating a subset of roles
  - Trustee gets a token scoped to that trust
  - Trustee creates an ec2-keypair
  - Trustee makes a request to the ec2tokens API, to validate a signature created with the keypair
  - ec2tokens API returns a new token, which is not scoped to the trust and enables access to all the trustor's roles.

  I can provide some test code which demonstrates the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242597/+subscriptions