← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1324592] Re: [OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476)

 

** Changed in: keystone/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1324592

Title:
  [OSSA 2014-018] Trust scope can be circumvented by chaining trusts
  (CVE-2014-3476)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Fix Released
Status in Keystone icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  I've been experimenting with chaining keystone trusts, and I've
  encountered what I think is a privilege escalation flaw, where the
  scope enforced by the trust when initially delegating can be
  circumvented by creating another trust.

  I spoke about this briefly with ayoung on IRC and he seems to be in
  agreement that this is a bug.

  Details:

  1. User1 has roles admin and heat_stack_owner
  2. User1 delegates to User2 via a trust, only delegating only heat_stack_owner, and enabling impersonation
  3. User2 gets a trust-scoped token, impersonating User1
  4. User2 creates a new trust, delegating both admin and heat_stack_owner to User3
  5. This works, and so when User3 gets a trust scoped token, they can get elevated privileleges, effectively defeating the point of role-limited delegation via the trust.

  I've attached a reproducer which demonstrates the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324592/+subscriptions