Merge "Add OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
3e3088b00d
47
notes/OSSN-0010
Normal file
47
notes/OSSN-0010
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
Sample Keystone v3 policy exposes privilege escalation vulnerability
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
The policy.v3cloudsample.json sample Keystone policy file combined with
|
||||||
|
the underlying mutability of the domain ID for user, group, and project
|
||||||
|
entities exposed a privilege escalation vulnerability. When this
|
||||||
|
sample policy is applied a domain administrator can elevate their
|
||||||
|
privileges to become a cloud administrator.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Keystone, Havana
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
Changes to the Keystone v3 sample policy during the Havana release cycle
|
||||||
|
set an excessively broad domain administrator scope that allowed
|
||||||
|
creation of roles ("create_grant") on other domains (among other
|
||||||
|
actions). There was no check that the domain administrator had
|
||||||
|
authority to the domain they were attempting to grant a role on.
|
||||||
|
|
||||||
|
Combining the mutable state of the domain ID for user, group, and
|
||||||
|
project entities with the sample v3 policy resulted in a privilege
|
||||||
|
escalation vulnerability. A domain administrator could execute a series
|
||||||
|
of steps to escalate their access to that of a cloud administrator.
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
Review the following updated sample v3 policy file from the OpenStack
|
||||||
|
Icehouse release:
|
||||||
|
|
||||||
|
https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
|
||||||
|
|
||||||
|
You should ensure that your Keystone deployment appropriately reflects
|
||||||
|
that update. Domain administrators should generally only be permitted
|
||||||
|
to perform actions against the domain for which they are an
|
||||||
|
administrator.
|
||||||
|
|
||||||
|
Optionally, review the recent addition of support for immutable domain
|
||||||
|
IDs and consider it for applicability to your Keystone deployment:
|
||||||
|
|
||||||
|
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
|
||||||
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user