yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22073
[Bug 1324592] Re: [OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476)
** Changed in: keystone/havana
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1324592
Title:
[OSSA 2014-018] Trust scope can be circumvented by chaining trusts
(CVE-2014-3476)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
Fix Released
Status in Keystone icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
I've been experimenting with chaining keystone trusts, and I've
encountered what I think is a privilege escalation flaw, where the
scope enforced by the trust when initially delegating can be
circumvented by creating another trust.
I spoke about this briefly with ayoung on IRC and he seems to be in
agreement that this is a bug.
Details:
1. User1 has roles admin and heat_stack_owner
2. User1 delegates to User2 via a trust, only delegating only heat_stack_owner, and enabling impersonation
3. User2 gets a trust-scoped token, impersonating User1
4. User2 creates a new trust, delegating both admin and heat_stack_owner to User3
5. This works, and so when User3 gets a trust scoped token, they can get elevated privileleges, effectively defeating the point of role-limited delegation via the trust.
I've attached a reproducer which demonstrates the problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1324592/+subscriptions