-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sample Keystone v3 policy exposes privilege escalation vulnerability
- ---
### Summary ###
The policy.v3cloudsample.json sample Keystone policy file combined with
the underlying mutability of the domain ID for user, group, and project
entities exposed a privilege escalation vulnerability. When this
sample policy is applied a domain administrator can elevate their
privileges to become a cloud administrator.
### Affected Services / Software ###
Keystone, Havana
### Discussion ###
Changes to the Keystone v3 sample policy during the Havana release cycle
set an excessively broad domain administrator scope that allowed
creation of roles ("create_grant") on other domains (among other
actions). There was no check that the domain administrator had
authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and
project entities with the sample v3 policy resulted in a privilege
escalation vulnerability. A domain administrator could execute a series
of steps to escalate their access to that of a cloud administrator.
### Recommended Actions ###
Review the following updated sample v3 policy file from the OpenStack
Icehouse release:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
You should ensure that your Keystone deployment appropriately reflects
that update. Domain administrators should generally only be permitted
to perform actions against the domain for which they are an
administrator.
Optionally, review the recent addition of support for immutable domain
IDs and consider it for applicability to your Keystone deployment:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2fa6a6f01a4884edf369cafa39946636af5cf1a
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
OpenStack Security ML : openstack-secur...@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTUCuoAAoJEJa+6E7Ri+EV23sIAIbfRSmMz4wwqqwzaf/vEts0
7rDp9BmGbnOOwg8+R94yDMJhG67Ysjx1lj4PY/cvKbiqGFF5FGXBBAwNbTfqgjkP
6zzwpbD+IJwJwE9I00JTH0dkDmKxCS8naf6k1spxi9P9g7+gAScOR4NvmmbCrSID
QOEOLJMoTFF67lrIqBYOYlxb2X/AxJZj9tOFAE+Jzv8JcJ0CwrsuPUb6WK8FiIz3
Y8EgWRlh1lKMHAQS69txS4mTL2mnsIjEnOnlj9O0V+j41qaLYBQKWPQRVhetdNdk
la7SA9IuHLaiw6dS5iOklX3pIug7BZ1cNSFIo0EXwG7QO71CihpvVcOwIWKNDaM=
=8THK
-----END PGP SIGNATURE-----
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
