yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1324592] Re: [OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1324592@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Jun 2014 00:59:07 -0000
Reply-to: Bug 1324592 <1324592@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/icehouse
   Importance: Undecided
       Status: New

** Also affects: keystone/havana
   Importance: Undecided
       Status: New

** Changed in: keystone/havana
       Status: New => In Progress

** Changed in: keystone/icehouse
       Status: New => In Progress

** Changed in: keystone/havana
   Importance: Undecided => Critical

** Changed in: keystone/icehouse
   Importance: Undecided => Critical

** Changed in: keystone/havana
     Assignee: (unassigned) => Adam Young (ayoung)

** Changed in: keystone/icehouse
     Assignee: (unassigned) => Adam Young (ayoung)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1324592

Title:
  [OSSA 2014-018] Trust scope can be circumvented by chaining trusts
  (CVE-2014-3476)

Status in OpenStack Identity (Keystone):
  In Progress
Status in Keystone havana series:
  In Progress
Status in Keystone icehouse series:
  In Progress
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  I've been experimenting with chaining keystone trusts, and I've
  encountered what I think is a privilege escalation flaw, where the
  scope enforced by the trust when initially delegating can be
  circumvented by creating another trust.

  I spoke about this briefly with ayoung on IRC and he seems to be in
  agreement that this is a bug.

  Details:

  1. User1 has roles admin and heat_stack_owner
  2. User1 delegates to User2 via a trust, only delegating only heat_stack_owner, and enabling impersonation
  3. User2 gets a trust-scoped token, impersonating User1
  4. User2 creates a new trust, delegating both admin and heat_stack_owner to User3
  5. This works, and so when User3 gets a trust scoped token, they can get elevated privileleges, effectively defeating the point of role-limited delegation via the trust.

  I've attached a reproducer which demonstrates the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324592/+subscriptions