openstack-attic/openstack-security-notes
Code Issues Proposed changes

Merge "Add OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability"

Browse Source
This commit is contained in:
Jenkins 2014-04-17 18:42:56 +00:00 committed by Gerrit Code Review
commit 3e3088b00d
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
notes/OSSN-0010 Normal file
View File

@ -0,0 +1,47 @@
Sample Keystone v3 policy exposes privilege escalation vulnerability
---
### Summary ###
The policy.v3cloudsample.json sample Keystone policy file combined with
the underlying mutability of the domain ID for user, group, and project
entities exposed a privilege escalation vulnerability. When this
sample policy is applied a domain administrator can elevate their
privileges to become a cloud administrator.
### Affected Services / Software ###
Keystone, Havana
### Discussion ###
Changes to the Keystone v3 sample policy during the Havana release cycle
set an excessively broad domain administrator scope that allowed
creation of roles ("create_grant") on other domains (among other
actions). There was no check that the domain administrator had
authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and
project entities with the sample v3 policy resulted in a privilege
escalation vulnerability. A domain administrator could execute a series
of steps to escalate their access to that of a cloud administrator.
### Recommended Actions ###
Review the following updated sample v3 policy file from the OpenStack
Icehouse release:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
You should ensure that your Keystone deployment appropriately reflects
that update. Domain administrators should generally only be permitted
to perform actions against the domain for which they are an
administrator.
Optionally, review the recent addition of support for immutable domain
IDs and consider it for applicability to your Keystone deployment:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg