Bug 1024401 - (CVE-2013-4477) CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone LDAP backend
CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone L...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131021,repor...
: Security
Depends On: 1024441 1024442 1024443 1024446 1024447
Blocks: 1024402
  Show dependency treegraph
 
Reported: 2013-10-29 11:17 EDT by Vincent Danen
Modified: 2016-04-26 09:50 EDT (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-27 20:59:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
CVE-2013-4477-grizzly.patch (3.25 KB, patch)
2013-10-29 12:57 EDT, Kurt Seifried
no flags Details | Diff
CVE-2013-4477-havana.patch (3.05 KB, patch)
2013-10-29 12:57 EDT, Kurt Seifried
no flags Details | Diff
CVE-2013-4477-icehouse.patch (2.79 KB, patch)
2013-10-29 12:58 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Vincent Danen 2013-10-29 11:17:35 EDT
The following flaw in Openstack Grizzly and Havana was reported [1],[2]:

The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.

A CVE has been requested.

[1] https://bugs.launchpad.net/keystone/+bug/1242855
[2] http://seclists.org/oss-sec/2013/q4/186
Comment 1 Vincent Danen 2013-10-29 11:23:36 EDT
The Grizzly fix is here:

https://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc

The Havana fix is here:

https://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0

The upstream bug report contains fairly detailed reproduction instructions as well.  Note that this requires administrator privileges.
Comment 2 Kurt Seifried 2013-10-29 12:23:04 EDT
Upstream fix information:

Reviewed: https://review.openstack.org/53010
Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa
Submitter: Jenkins
Branch: master

commit b17e7bec768bd53d3977352486378698a3db3cfa
Author: Brant Knudson <bknudson@us.ibm.com>
Date: Mon Oct 21 15:21:12 2013 -0500

    Enhance tests for deleting a role not assigned

    There wasn't a test that showed what happens when a role is
    deleted that was never assigned.

    Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506
    Related-bug: #1242855



Reviewed: https://review.openstack.org/53012
Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0
Submitter: Jenkins
Branch: master

commit c6800ca1ac984c879e75826df6694d6199444ea0
Author: Brant Knudson <bknudson@us.ibm.com>
Date: Mon Oct 21 15:31:23 2013 -0500

    Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

    This change makes it so that when attempt to remove a role that
    wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
Comment 4 Kurt Seifried 2013-10-29 12:37:27 EDT
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1024441]
Affects: epel-6 [bug 1024442]
Comment 5 Kurt Seifried 2013-10-29 12:57:12 EDT
Created attachment 817139 [details]
CVE-2013-4477-grizzly.patch
Comment 6 Kurt Seifried 2013-10-29 12:57:47 EDT
Created attachment 817140 [details]
CVE-2013-4477-havana.patch
Comment 7 Kurt Seifried 2013-10-29 12:58:26 EDT
Created attachment 817141 [details]
CVE-2013-4477-icehouse.patch
Comment 8 Fedora Update System 2013-11-07 23:32:01 EST
openstack-keystone-2013.1.4-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-12-28 18:38:05 EST
openstack-keystone-2013.2.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2014-01-30 15:01:17 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0113 https://rhn.redhat.com/errata/RHSA-2014-0113.html

Note You need to log in before you can comment on or make changes to this bug.