openstack-attic
/
openstack-security-notes
Code Issues Proposed changes

Add OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation 

vulnerability

This adds OSSN-0010, which covers a privilege escalation issue
associated with a sample Keystone v3 policy file.

Change-Id: I3213bbf4b9956b75d733f219660fcefe6a51848d
Related-Bug: #1287219
This commit is contained in:
Jamie Finnigan 2014-04-04 11:31:02 -07:00
parent 66136e3c69
commit 1c3455cc2b
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
notes/OSSN-0010 Normal file
View File

@ -0,0 +1,47 @@
Sample Keystone v3 policy exposes privilege escalation vulnerability
---
### Summary ###
The policy.v3cloudsample.json sample Keystone policy file combined with
the underlying mutability of the domain ID for user, group, and project
entities exposed a privilege escalation vulnerability. When this
sample policy is applied a domain administrator can elevate their
privileges to become a cloud administrator.
### Affected Services / Software ###
Keystone, Havana
### Discussion ###
Changes to the Keystone v3 sample policy during the Havana release cycle
set an excessively broad domain administrator scope that allowed
creation of roles ("create_grant") on other domains (among other
actions). There was no check that the domain administrator had
authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and
project entities with the sample v3 policy resulted in a privilege
escalation vulnerability. A domain administrator could execute a series
of steps to escalate their access to that of a cloud administrator.
### Recommended Actions ###
Review the following updated sample v3 policy file from the OpenStack
Icehouse release:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
You should ensure that your Keystone deployment appropriately reflects
that update. Domain administrators should generally only be permitted
to perform actions against the domain for which they are an
administrator.
Optionally, review the recent addition of support for immutable domain
IDs and consider it for applicability to your Keystone deployment:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg