Thierry Carrez (thierry) reports: Title: Online validation of Keystone PKI tokens bypasses revocation check Reporter: Guang Yee (HP) Products: Keystone Affects: Folsom Description: Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only setups making use of online verification of PKI tokens are affected. Proposed patches: See attached patch. Unless a flaw is discovered in it, this patch will be merged to Keystone stable/folsom branch on the public disclosure date.
Created attachment 710828 [details] folsom-CVE-2013-1865.patch
Public via: http://www.openwall.com/lists/oss-security/2013/03/20/13
This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora release of 17: https://review.openstack.org/#/c/24906/ -- This issue affects the version of the openstack-keystone package, as shipped with Fedora release of 18. Please schedule an update. -- This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora EPEL 6 (the openstack-keystone package for this product has been already updated to include the upstream change: https://launchpadlibrarian.net/131611658/validate-from-backend-grizzly-20130218.patch
Created openstack-keystone tracking bugs for this issue Affects: fedora-18 [bug 923869]
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1865 http://www.openwall.com/lists/oss-security/2013/03/20/13 https://bugs.launchpad.net/keystone/+bug/1129713 https://review.openstack.org/#/c/24906/ http://www.ubuntu.com/usn/USN-1772-1 http://www.securityfocus.com/bid/58616 http://osvdb.org/91532 http://secunia.com/advisories/52657
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Guang Yee (HP) as the original reporter.
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 928406]
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0708 https://rhn.redhat.com/errata/RHSA-2013-0708.html
openstack-keystone-2012.2.3-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.