Bug 958285 (CVE-2013-2030) - CVE-2013-2030 OpenStack nova: insecure directory creation for signing
Summary: CVE-2013-2030 OpenStack nova: insecure directory creation for signing
Alias: CVE-2013-2030
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 957485 958287 961733 961736
Blocks: 958289
TreeView+ depends on / blocked
Reported: 2013-04-30 20:11 UTC by Kurt Seifried
Modified: 2019-09-29 13:03 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-10-02 09:24:00 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Gentoo 469272 0 None None None Never

Description Kurt Seifried 2013-04-30 20:11:40 UTC
Originally reported by Grant Murphy (gmurphy):

The signing directory is used to store the signing certificates
and the default location for this directory is:

    signing_dir = /tmp/keystone-signing-nova

In the file:


During the initialization of the AuthMiddleware the following operations are made for the signing directory:

    IF the directory exists but cannot be written to a configuration error is raised.
    ELSE IF the directory doesn't exist, create it.
    NEXT chmod permisions(stat.S_IRWXU) to the signing_directory

AFAICT The signing certificates used in validation will only be fetched from the keystone if the cms_verify action raises an exception because the certificate file is missing from the signing directory.

This means that if an attacker populated the /tmp/keystone-signing-nova
with the appropriate files for signautre verification they could potentially
issue forged tokens which would be validated by the middleware. As:
    - The directory location deterministic. (default for glance, nova)
    - *If the directory already exists it is reused*

Comment 3 Jan Lieskovsky 2013-05-10 10:57:06 UTC
Created openstack-nova tracking bugs for this issue

Affects: fedora-all [bug 961733]
Affects: epel-6 [bug 961736]

Comment 4 Fedora Update System 2013-05-22 01:29:01 UTC
openstack-keystone-2012.2.4-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Kurt Seifried 2013-05-25 07:52:18 UTC
This was fixed upstream:


OpenStack Security Advisory: 2013-010
CVE: CVE-2013-2030
Date: May 9, 2013
Title: Nova uses insecure keystone middleware tmpdir by default
Reporter: Grant Murphy (Red Hat), Anton Lundin
Products: Nova
Affects: Folsom, Grizzly

Grant Murphy from Red Hat and Anton Lundin both independently reported a
vulnerability in Nova's default location for the Keystone middleware
signing directory (signing_dir). By previously setting up a malicious
directory structure, an attacker with local shell access on the Nova
node could potentially issue forged tokens that would be accepted by the
middleware. Only setups that use the default value for signing_dir are
affected. Note that future versions of the Keystone middleware will
issue a warning if an insecure signing directory is used.

Havana (development branch) fix:

Grizzly fix:

Folsom fix:


- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team

Comment 6 Xavier Queralt 2013-10-02 09:24:00 UTC
The fix for this issue is already included in the current havana and grizzly RDO packages.

Note You need to log in before you can comment on or make changes to this bug.