OSSN/OSSN-0021

Summary
The Keystone 'trusts' API allows for delegation of privileges to one user on behalf of another. This API can allow for an attacker of a compromised account to set up backdoor access into the account. This backdoor may not be easily detected, even if the account compromise is detected.

Affected Services / Software
Keystone, Grizzly, Havana, Icehouse

Discussion
The Keystone trusts system allows for delegation of roles to Keystone users without disclosing the main token, or sharing the account secret key with those users. That means, after an account is compromised, the change of the secret key and the invalidation of existing tokens may not be enough to prevent future access from an attackers.

If an attacker obtains access to the account (via stolen credentials or service exploitation), they can create a new Keystone trust. This new trust may grant access not dependent on any knowledge of the compromised user's secret key and can also be set to never expire. In this case, the trust has to be manually found and removed by the account owner.

Information about using trusts can be found at https://wiki.openstack.org/wiki/Keystone/Trusts

Recommended Actions
If the account has been compromised, or is being audited, the owner should check the list of active trusts and verify that:

- all the active trusts are needed - all the active trusts have the expected roles and delegation depth - all the active trusts have appropriate expiration lifetimes

At the time of writing this OSSN, trusts can be listed by using the Keystone API directly:

# get ENDPOINT from the last field of the output keystone endpoint-get --service identity --attr versionId \ --value 3.0 # get TOKEN from the last field of the output keystone token-get # list the trusts by running: curl -i -X GET "ENDPOINT/trusts/" -H "X-Auth-Token: TOKEN" \ -H "Content-Type: application/json" -H "Accept: application/json"

If some trust (with id TRUST_ID) is identified as invalid, it can be deleted using:

curl -i -X DELETE "ENDPOINT/trusts/TRUST_ID" \ -H "X-Auth-Token: TOKEN" -H "Content-Type: application/json" \ -H "Accept: application/json"

In the future, operators will be able to use keystoneclient for a more convenient method of accessing and updating this information.

Contacts / References

 * Author: Stanislaw Pitucha, HPE
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0021
 * Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1341849
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg