yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1242597] Re: [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 22 Jan 2014 15:42:23 -0000
Reply-to: Bug 1242597 <1242597@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => icehouse-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597

Title:
  [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens
  (CVE-2013-6391)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  So I finally got around to investigating the scenario I mentioned in
  https://review.openstack.org/#/c/40444/, and unfortunately it seems
  that the ec2tokens API does indeed provide a way to circumvent the
  role delegation provided by trusts, and obtain all the roles of the
  trustor user, not just those explicitly delegated.

  Steps to reproduce:
  - Trustor creates a trust delegating a subset of roles
  - Trustee gets a token scoped to that trust
  - Trustee creates an ec2-keypair
  - Trustee makes a request to the ec2tokens API, to validate a signature created with the keypair
  - ec2tokens API returns a new token, which is not scoped to the trust and enables access to all the trustor's roles.

  I can provide some test code which demonstrates the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242597/+subscriptions