Originally reported by Grant Murphy (gmurphy):
The signing directory is used to store the signing certificates
and the default location for this directory is:
signing_dir = /tmp/keystone-signing-nova
In the file:
During the initialization of the AuthMiddleware the following operations are made for the signing directory:
IF the directory exists but cannot be written to a configuration error is raised.
ELSE IF the directory doesn't exist, create it.
NEXT chmod permisions(stat.S_IRWXU) to the signing_directory
AFAICT The signing certificates used in validation will only be fetched from the keystone if the cms_verify action raises an exception because the certificate file is missing from the signing directory.
This means that if an attacker populated the /tmp/keystone-signing-nova
with the appropriate files for signautre verification they could potentially
issue forged tokens which would be validated by the middleware. As:
- The directory location deterministic. (default for glance, nova)
- *If the directory already exists it is reused*
https://review.openstack.org/#/c/28568/ (Havana branch)
https://review.openstack.org/#/c/28569/ (Grizzly branch)
https://review.openstack.org/#/c/28570/ (Folsom branch)
Created openstack-nova tracking bugs for this issue
Affects: fedora-all [bug 961733]
Affects: epel-6 [bug 961736]
openstack-keystone-2012.2.4-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This was fixed upstream:
OpenStack Security Advisory: 2013-010
Date: May 9, 2013
Title: Nova uses insecure keystone middleware tmpdir by default
Reporter: Grant Murphy (Red Hat), Anton Lundin
Affects: Folsom, Grizzly
Grant Murphy from Red Hat and Anton Lundin both independently reported a
vulnerability in Nova's default location for the Keystone middleware
signing directory (signing_dir). By previously setting up a malicious
directory structure, an attacker with local shell access on the Nova
node could potentially issue forged tokens that would be accepted by the
middleware. Only setups that use the default value for signing_dir are
affected. Note that future versions of the Keystone middleware will
issue a warning if an insecure signing directory is used.
Havana (development branch) fix:
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
The fix for this issue is already included in the current havana and grizzly RDO packages.