Bug 1290774 (CVE-2015-7546)

Summary: CVE-2015-7546 openstack-keystone: Improper check of tampered revocated PKI/PKIZ token
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, acanan, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, nkinder, rbryant, sclewis, security-response-team, slinaber, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 04:57:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1299682, 1299683, 1299684    
Bug Blocks: 1290776    

Description Adam Mariš 2015-12-11 12:20:49 UTC 
It was reported that when the PKI or PKIZ token providers are used, it is possible for an attacker to manipulate the token contents of a revoked token such that the token will still be considered to be valid. Identity service checks it by searching for a revocation by the entire token. It is possible for an attacker to manipulate portions of an intercepted PKI or PKIZ token that are not cryptographically protected, which will cause the revocation check to improperly consider the token to be valid. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker.

Users are recommended to not use PKI or PKIZ token providers and to switch to using another supported token provider, such as UUID, in case they're already using PKI/PKIZ tokens.

keystone.conf file stores the configuration of Identity service:

---- begin keystone.conf sample snippet ----
[token]
#provider = keystone.token.providers.pki.Provider
#provider = keystone.token.providers.pkiz.Provider
provider = keystone.token.providers.uuid.Provider
#---- end keystone.conf sample snippet ----

In Liberty:

---- begin keystone.conf sample snippet ----
[token]
#provider = pki
#provider = pkiz
provider = uuid
#---- end keystone.conf sample snippet ----

The commented out settings in the examples above are vulnerable.
Comment 2 Garth Mollett 2016-01-19 00:48:57 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1299683]