yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1872733] Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1872733@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 May 2020 18:57:41 -0000
Reply-to: Bug 1872733 <1872733@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/725912
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=2548f46b0aff357f6c953b30179b4d8e151e4236
Submitter: Zuul
Branch:    master

commit 2548f46b0aff357f6c953b30179b4d8e151e4236
Author: Gage Hugo <gagehugo@xxxxxxxxx>
Date:   Wed May 6 10:57:15 2020 -0500

    Add OSSA-2020-004 (CVEs Pending)
    
    Change-Id: Ide28e91b184edab45d22c47661ad6bb6003dd244
    Closes-Bug: #1872735
    Closes-Bug: #1872733


** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872733

Title:
  Keystone V3 /credentials endpoint policy logic allows to change
  credentials owner or target project ID

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  "_build_target_enforcement" function checks only for "credential_id":
  https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/credentials.py#L38

  Thus even having a '"identity:update_credential": "rule:cloud_admin or
  (user_id:%(target.credential.user_id)s)"' policy doesn't prevent a
  malicious user to create an EC2 credential, then change its owner and
  project ID, e.g.:

  curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{
    "credential": {
      "project_id": "_target_project_id_",
      "user_id": "_target_user_id_"
    }
  }'

  Additionally it is possible to Create a credential with any existing
  project_id, though it doesn't have a serious security issue, e.g.:

  {
    "credential": {
      "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}",
      "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f",
      "project_id": "_any_project_id_",
      "type": "ec2",
      "user_id": "_my_user_id_"
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872733/+subscriptions