Bug 1112668 (CVE-2014-3520)

Summary: CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, jlennox, jrusnack, lhh, markmc, nkinder, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-01 05:41:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1115640, 1115641, 1115642, 1115643, 1116152, 1116153, 1116481, 1118196    
Bug Blocks: 1112670    
Attachments:
Description Flags
stable/havana patch for CVE-2014-3520
none
stable/icehouse patch for CVE-2014-3520
none
master/juno patch for CVE-2014-3520 none

Description Vasyl Kaigorodov 2014-06-24 12:49:53 UTC 
The OpenStack project reports:

...
Title: Keystone V2 trusts privilege escalation through user supplied project id
Reporter: Jamie Lennox (Red Hat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1

Description:
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are
affected.
...

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jamie Lennox from Red Hat as the original reporter.
Comment 1 Vincent Danen 2014-06-27 14:21:22 UTC 
Created attachment 912842 [details]
stable/havana patch for CVE-2014-3520
Comment 2 Vincent Danen 2014-06-27 14:21:56 UTC 
Created attachment 912843 [details]
stable/icehouse patch for CVE-2014-3520
Comment 3 Vincent Danen 2014-06-27 14:22:28 UTC 
Created attachment 912844 [details]
master/juno patch for CVE-2014-3520
Comment 5 Vincent Danen 2014-07-02 19:47:03 UTC 
This issue is now public:

http://openwall.com/lists/oss-security/2014/07/02/7
https://bugs.launchpad.net/keystone/+bug/1331912
Comment 7 Vincent Danen 2014-07-02 19:48:44 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-19 [bug 1115640]
Affects: fedora-20 [bug 1115641]
Affects: epel-6 [bug 1115642]
Comment 22 Martin Prpič 2014-07-31 14:50:54 UTC 
IssueDescription:

A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
Comment 23 errata-xmlrpc 2014-07-31 15:18:23 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6
  OpenStack 4 for RHEL 6

Via RHSA-2014:0994 https://rhn.redhat.com/errata/RHSA-2014-0994.html
Comment 24 Fedora Update System 2014-08-07 15:24:20 UTC 
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.