From 1c3455cc2b51bf3a998a361fb23d51c324e73f7c Mon Sep 17 00:00:00 2001 From: Jamie Finnigan Date: Fri, 4 Apr 2014 11:31:02 -0700 Subject: [PATCH] Add OSSN-0010 - Sample Keystone v3 policy exposes privilege escalation vulnerability This adds OSSN-0010, which covers a privilege escalation issue associated with a sample Keystone v3 policy file. Change-Id: I3213bbf4b9956b75d733f219660fcefe6a51848d Related-Bug: #1287219 --- notes/OSSN-0010 | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 notes/OSSN-0010 diff --git a/notes/OSSN-0010 b/notes/OSSN-0010 new file mode 100644 index 0000000..f329c83 --- /dev/null +++ b/notes/OSSN-0010 @@ -0,0 +1,47 @@ +Sample Keystone v3 policy exposes privilege escalation vulnerability +--- + +### Summary ### +The policy.v3cloudsample.json sample Keystone policy file combined with +the underlying mutability of the domain ID for user, group, and project +entities exposed a privilege escalation vulnerability. When this +sample policy is applied a domain administrator can elevate their +privileges to become a cloud administrator. + +### Affected Services / Software ### +Keystone, Havana + +### Discussion ### +Changes to the Keystone v3 sample policy during the Havana release cycle +set an excessively broad domain administrator scope that allowed +creation of roles ("create_grant") on other domains (among other +actions). There was no check that the domain administrator had +authority to the domain they were attempting to grant a role on. + +Combining the mutable state of the domain ID for user, group, and +project entities with the sample v3 policy resulted in a privilege +escalation vulnerability. A domain administrator could execute a series +of steps to escalate their access to that of a cloud administrator. + +### Recommended Actions ### +Review the following updated sample v3 policy file from the OpenStack +Icehouse release: + +https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50 + +You should ensure that your Keystone deployment appropriately reflects +that update. Domain administrators should generally only be permitted +to perform actions against the domain for which they are an +administrator. + +Optionally, review the recent addition of support for immutable domain +IDs and consider it for applicability to your Keystone deployment: + +https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a + +### Contacts / References ### +This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010 +Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219 +OpenStack Security ML : openstack-security@lists.openstack.org +OpenStack Security Group : https://launchpad.net/~openstack-ossg +