Bug 1024401 (CVE-2013-4477) - CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone LDAP backend
Summary: CVE-2013-4477 openstack-keystone: unintentional role granting with Keystone L...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4477
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1024441 1024442 1024443 1024446 1024447
Blocks: 1024402
TreeView+ depends on / blocked
 
Reported: 2013-10-29 15:17 UTC by Vincent Danen
Modified: 2019-09-29 13:09 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-28 00:59:31 UTC


Attachments (Terms of Use)
CVE-2013-4477-grizzly.patch (3.25 KB, patch)
2013-10-29 16:57 UTC, Kurt Seifried
no flags Details | Diff
CVE-2013-4477-havana.patch (3.05 KB, patch)
2013-10-29 16:57 UTC, Kurt Seifried
no flags Details | Diff
CVE-2013-4477-icehouse.patch (2.79 KB, patch)
2013-10-29 16:58 UTC, Kurt Seifried
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0113 0 normal SHIPPED_LIVE Moderate: openstack-keystone security update 2014-01-31 00:58:54 UTC

Description Vincent Danen 2013-10-29 15:17:35 UTC
The following flaw in Openstack Grizzly and Havana was reported [1],[2]:

The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.

A CVE has been requested.

[1] https://bugs.launchpad.net/keystone/+bug/1242855
[2] http://seclists.org/oss-sec/2013/q4/186

Comment 1 Vincent Danen 2013-10-29 15:23:36 UTC
The Grizzly fix is here:

https://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc

The Havana fix is here:

https://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0

The upstream bug report contains fairly detailed reproduction instructions as well.  Note that this requires administrator privileges.

Comment 2 Kurt Seifried 2013-10-29 16:23:04 UTC
Upstream fix information:

Reviewed: https://review.openstack.org/53010
Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa
Submitter: Jenkins
Branch: master

commit b17e7bec768bd53d3977352486378698a3db3cfa
Author: Brant Knudson <bknudson.com>
Date: Mon Oct 21 15:21:12 2013 -0500

    Enhance tests for deleting a role not assigned

    There wasn't a test that showed what happens when a role is
    deleted that was never assigned.

    Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506
    Related-bug: #1242855



Reviewed: https://review.openstack.org/53012
Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0
Submitter: Jenkins
Branch: master

commit c6800ca1ac984c879e75826df6694d6199444ea0
Author: Brant Knudson <bknudson.com>
Date: Mon Oct 21 15:31:23 2013 -0500

    Fix remove role assignment adds role using LDAP assignment

    When using the LDAP assignment backend, attempting to remove a
    role assignment when the role hadn't been used before would
    actually add the role assignment and would not return a
    404 Not Found like the SQL backend.

    This change makes it so that when attempt to remove a role that
    wasn't assigned then 404 Not Found is returned.

    Closes-Bug: #1242855
    Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3

Comment 4 Kurt Seifried 2013-10-29 16:37:27 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1024441]
Affects: epel-6 [bug 1024442]

Comment 5 Kurt Seifried 2013-10-29 16:57:12 UTC
Created attachment 817139 [details]
CVE-2013-4477-grizzly.patch

Comment 6 Kurt Seifried 2013-10-29 16:57:47 UTC
Created attachment 817140 [details]
CVE-2013-4477-havana.patch

Comment 7 Kurt Seifried 2013-10-29 16:58:26 UTC
Created attachment 817141 [details]
CVE-2013-4477-icehouse.patch

Comment 8 Fedora Update System 2013-11-08 04:32:01 UTC
openstack-keystone-2013.1.4-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-12-28 23:38:05 UTC
openstack-keystone-2013.2.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2014-01-30 20:01:17 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0113 https://rhn.redhat.com/errata/RHSA-2014-0113.html


Note You need to log in before you can comment on or make changes to this bug.