← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1872733] Re: [OSSA-2020-004] Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID (CVE-2020-12691)

 

Reviewed:  https://review.opendev.org/725886
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=37e9907a176dad6843819b1bec4946c3aecc4548
Submitter: Zuul
Branch:    master

commit 37e9907a176dad6843819b1bec4946c3aecc4548
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date:   Tue Apr 14 16:47:44 2020 -0700

    Fix security issues with EC2 credentials
    
    This change addresses several issues in the creation and use of EC2/S3
    credentials with keystone tokens.
    
    1. Disable altering credential owner attributes or metadata
    
    Without this patch, an authenticated user can create an EC2 credential
    for themself for a project they have a role on, then update the
    credential to target a user and project completely unrelated to them. In
    the worst case, this could be the admin user and a project the admin
    user has a role assignment on. A token granted for an altered credential
    like this would allow the user to masquerade as the victim user. This
    patch ensures that when updating a credential, the new form of the
    credential is one the acting user has access to: if the system admin
    user is changing the credential, the new user ID or project ID could be
    anything, but regular users may only change the credential to be one
    that they still own.
    
    Relatedly, when a user uses an application credential or a trust to
    create an EC2 credential, keystone automatically adds the trust ID or
    application credential ID as metadata in the EC2 access blob so that it
    knows how the token can be scoped when it is used. Without this patch, a
    user who has created a credential in this way can update the access blob
    to remove or alter this metadata and escalate their privileges to be
    fully authorized for the trustor's, application credential creator's, or
    OAuth1 access token authorizor's privileges on the project. This patch
    fixes the issue by simply disallowing updates to keystone-controlled
    metadata in the credential.
    
    2. Respect token roles when creating EC2 credentials
    
    Without this patch, a trustee, an application credential user, or an
    OAuth1 access token holder could create an EC2 credential or an
    application credential using any roles the trustor, application
    credential creator, or access token authorizor had on the project,
    regardless of whether the creator had delegated only a limited subset of
    roles. This was because the trust_id attribute of the EC2 access blob
    was ignored, and no metadata for the application credential or access
    token was recorded either. This change ensures that the access
    delegation resource is recorded in the metadata of the EC2 credential
    when created and passed to the token provider when used for
    authentication so that the token provider can look up the correct roles
    for the request.
    
    Change-Id: I39d0d705839fbe31ac518ac9a82959e108cb7c1d
    Closes-bug: #1872733
    Closes-bug: #1872755
    Closes-bug: #1872735


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872733

Title:
  [OSSA-2020-004] Keystone V3 /credentials endpoint policy logic allows
  to change credentials owner or target project ID (CVE-2020-12691)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  "_build_target_enforcement" function checks only for "credential_id":
  https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/credentials.py#L38

  Thus even having a '"identity:update_credential": "rule:cloud_admin or
  (user_id:%(target.credential.user_id)s)"' policy doesn't prevent a
  malicious user to create an EC2 credential, then change its owner and
  project ID, e.g.:

  curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{
    "credential": {
      "project_id": "_target_project_id_",
      "user_id": "_target_user_id_"
    }
  }'

  Additionally it is possible to Create a credential with any existing
  project_id, though it doesn't have a serious security issue, e.g.:

  {
    "credential": {
      "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}",
      "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f",
      "project_id": "_any_project_id_",
      "type": "ec2",
      "user_id": "_my_user_id_"
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872733/+subscriptions