yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #11933
[Bug 1242597] Re: [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)
** Changed in: keystone/grizzly
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1242597
Title:
[OSSA 2013-032] Keystone trust circumvention through EC2-style tokens
(CVE-2013-6391)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone grizzly series:
Fix Released
Status in Keystone havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
So I finally got around to investigating the scenario I mentioned in
https://review.openstack.org/#/c/40444/, and unfortunately it seems
that the ec2tokens API does indeed provide a way to circumvent the
role delegation provided by trusts, and obtain all the roles of the
trustor user, not just those explicitly delegated.
Steps to reproduce:
- Trustor creates a trust delegating a subset of roles
- Trustee gets a token scoped to that trust
- Trustee creates an ec2-keypair
- Trustee makes a request to the ec2tokens API, to validate a signature created with the keypair
- ec2tokens API returns a new token, which is not scoped to the trust and enables access to all the trustor's roles.
I can provide some test code which demonstrates the issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1242597/+subscriptions