Mirantis OpenStack

Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004)

Bug #1680766 reported by Dmitry Mescheryakov
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
High
MOS Keystone
Mirantis OpenStack 10.0
7.0.x
Invalid
High
MOS Maintenance
8.0.x
Invalid
High
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Fix Released
High
MOS Keystone
Mirantis OpenStack 9.2-mu-2

Bug Description

Title: Incorrect role assignment with federated Keystone
Reporter: Boris Bobrov (Mail.Ru)
Products: Keystone
Affects: ==11.0.0

Description:
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned to
the user's project regardless of the federation mapping when there are
rules in which group-based assignments are not used. For example, by
requesting an admin user to get a role in their project, the user may be
granted the admin privileges for new scoped tokens. All setups using the
Keystone federation with projects auto-provisioning and no group based
assignments rules are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to their corresponding branches on the public disclosure date.

CVE: CVE-2017-2673

Proposed public disclosure date/time:
2017-04-12, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

See original description

CVE References

Dmitry Mescheryakov (dmitrymex)
summary: - [pre-OSSA] Vulnerability in OpenStack Keystone (CVE-2017-2673)
+ Incorrect role assignment with federated Keystone (CVE-2017-2673)
description: updated
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote : Re: Incorrect role assignment with federated Keystone (CVE-2017-2673)

It doesn't seem like we have an appropriate milestone for it, feel free to retarget.

Changed in mos:
milestone: none → 10.0
status: New → Confirmed
Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Patches:
https://review.openstack.org/459713 (Newton)
https://review.openstack.org/459732 (Ocata)
https://review.openstack.org/459705 (Pike)

References:
https://launchpad.net/bugs/1677723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

After code review it became apparent that Mitaka is also vulnerable and most likely Liberty also.
Please backport fix for Mitaka and Liberty.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Fix for 9.2: https://review.fuel-infra.org/#/c/35137/

Revision history for this message
Ilya Bumarskov (ibumarskov) wrote :

Verified (code only) on Fuel 9.2 MU2 (MOS_UBUNTU_ID=9.0-2017-06-20-142429)

Adam Heczko (aheczko-mirantis)
tags: added: feature-security
Denis Meltsaykin (dmeltsaykin)
Changed in mos:
status: Confirmed → Won't Fix
Adam Heczko (aheczko-mirantis)
summary: Incorrect role assignment with federated Keystone (CVE-2017-2673)
+ (OSSA-2017-004)
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

According to https://bugs.launchpad.net/keystone/+bug/1677723/comments/9 versions prior to Mitaka are not affected, closing as Invalid for 7.0 and 8.0

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Invalid for Kilo is OK for me, however Denis please provide more detailed explanation with some code examples why this is invalid. It was requested by one of our customers who would like to understand why Kilo is not affected.

Adam Heczko (aheczko-mirantis)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.