OSSN/OSSN-0010
Sample Keystone v3 policy exposes privilege escalation vulnerability
Summary
The policy.v3cloudsample.json sample Keystone policy file combined with the underlying mutability of the domain ID for user, group, and project entities exposed a privilege escalation vulnerability. When this sample policy is applied a domain administrator can elevate their privileges to become a cloud administrator.
Affected Services / Software
Keystone, Havana
Discussion
Changes to the Keystone v3 sample policy during the Havana release cycle set an excessively broad domain administrator scope that allowed creation of roles (create_grant) on other domains (among other actions). There was no check that the domain administrator had authority to the domain they were attempting to grant a role on.
Combining the mutable state of the domain ID for user, group, and project entities with the sample v3 policy resulted in a privilege escalation vulnerability. A domain administrator could execute a series of steps to escalate their access to that of a cloud administrator.
Recommended Actions
Review the following updated sample v3 policy file from the OpenStack Icehouse release:
You should ensure that your Keystone deployment appropriately reflects that update. Domain administrators should generally only be permitted to perform actions against the domain for which they are an administrator.
Optionally, review the recent addition of support for immutable domain IDs and consider it for applicability to your Keystone deployment:
Contacts / References
- Author: Jamie Finnigan, HP
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0010
- Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1287219
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg