Difference between revisions of "OSSN/OSSN-0010"
(Created page with "__NOTOC__ == Sample Keystone v3 policy exposes privilege escalation vulnerability == === Summary === The ''policy.v3cloudsample.json'' sample Keystone policy file combined wi...") |
m (→Contacts / References) |
||
| Line 41: | Line 41: | ||
=== Contacts / References === | === Contacts / References === | ||
| + | * Author: Jamie Finnigan, HP | ||
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010 | * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010 | ||
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219 | * Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219 | ||
* OpenStack Security ML : openstack-security@lists.openstack.org | * OpenStack Security ML : openstack-security@lists.openstack.org | ||
* OpenStack Security Group : https://launchpad.net/~openstack-ossg | * OpenStack Security Group : https://launchpad.net/~openstack-ossg | ||
Latest revision as of 09:20, 22 July 2016
Sample Keystone v3 policy exposes privilege escalation vulnerability
Summary
The policy.v3cloudsample.json sample Keystone policy file combined with the underlying mutability of the domain ID for user, group, and project entities exposed a privilege escalation vulnerability. When this sample policy is applied a domain administrator can elevate their privileges to become a cloud administrator.
Affected Services / Software
Keystone, Havana
Discussion
Changes to the Keystone v3 sample policy during the Havana release cycle set an excessively broad domain administrator scope that allowed creation of roles (create_grant) on other domains (among other actions). There was no check that the domain administrator had authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and project entities with the sample v3 policy resulted in a privilege escalation vulnerability. A domain administrator could execute a series of steps to escalate their access to that of a cloud administrator.
Recommended Actions
Review the following updated sample v3 policy file from the OpenStack Icehouse release:
You should ensure that your Keystone deployment appropriately reflects that update. Domain administrators should generally only be permitted to perform actions against the domain for which they are an administrator.
Optionally, review the recent addition of support for immutable domain IDs and consider it for applicability to your Keystone deployment:
Contacts / References
- Author: Jamie Finnigan, HP
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
- Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg
