-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Owners of compromised accounts should verify Keystone trusts - ---
### Summary ### The Keystone 'trusts' API allows for delegation of privileges to one user on behalf of another. This API can allow for an attacker of a compromised account to set up backdoor access into the account. This backdoor may not be easily detected, even if the account compromise is detected. ### Affected Services / Software ### Keystone, Grizzly, Havana, Icehouse ### Discussion ### The Keystone trusts system allows for delegation of roles to Keystone users without disclosing the main token, or sharing the account secret key with those users. That means, after an account is compromised, the change of the secret key and the invalidation of existing tokens may not be enough to prevent future access from an attackers. If an attacker obtains access to the account (via stolen credentials or service exploitation), they can create a new Keystone trust. This new trust may grant access not dependent on any knowledge of the compromised user's secret key and can also be set to never expire. In this case, the trust has to be manually found and removed by the account owner. Information about using trusts can be found at: https://wiki.openstack.org/wiki/Keystone/Trusts ### Recommended Actions ### If the account has been compromised, or is being audited, the owner should check the list of active trusts and verify that: - - all the active trusts are needed - - all the active trusts have the expected roles and delegation depth - - all the active trusts have appropriate expiration lifetimes At the time of writing this OSSN, trusts can be listed by using the Keystone API directly: - ---- begin CLI example ---- # get ENDPOINT from the last field of the output keystone endpoint-get --service identity --attr versionId \ --value 3.0 # get TOKEN from the last field of the output keystone token-get # list the trusts by running: curl -i -X GET "ENDPOINT/trusts/" -H "X-Auth-Token: TOKEN" \ -H "Content-Type: application/json" -H "Accept: application/json" - ---- end CLI example ---- If some trust (with id TRUST_ID) is identified as invalid, it can be deleted using: - ---- begin CLI example ---- curl -i -X DELETE "ENDPOINT/trusts/TRUST_ID" \ -H "X-Auth-Token: TOKEN" -H "Content-Type: application/json" \ -H "Accept: application/json" - ---- end CLI example ---- In the future, operators will be able to use keystoneclient for a more convenient method of accessing and updating this information. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0021 Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1341849 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT0sTLAAoJEJa+6E7Ri+EVQpYIAJHSUsW4V1h6xD3Uvi+8sYVU rc5+rDuOqoNwWmRw19qf0fuLPsBmoB/HvG/hfgdgazcrcBK6I/hR74bdH3CLE7Ew dCFabstGUexNBDp84RchqDyu6vjB6oNGI3325fwgZcTq9WFTr5Jbc6gw1xov3gPC 0BForhceXpwVj3y7im2xtkId23wQwwB/AYerRnuZ8DsvFy9xPWiFub7w6WmzwpHj BM38MTLS4GJZ3cDCXchp9u+z7rh6Jb34PHMKeXWzka+LasK0A+RqamvfC8OYB2rv 9Tmrt0GxbfSb/ereB3EEpu6LPkMtepjJtBxE+cv6PekfDLdri7+wHZUDXVYTtZ4= =l08k -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev