Tristan Cacqueray reports:
Title: RBAC policy not properly enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Versions: 2013.1 versions up to 2013.2.3
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.
Red Hat would like to thank the Openstack Project for reporting this issue. Upstream acknowledges Marc Heckmann of Ubisoft as the original reporter.
This issue is public now:
Created openstack-nova tracking bugs for this issue:
Affects: fedora-all [bug 1086265]
openstack-nova-2013.2.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
It was found that RBAC policies were not enforced in certain methods of the OpenStack Compute EC2 (Amazon Elastic Compute Cloud) API. A remote attacker could use this flaw to escalate their privileges beyond the user group they were originally restricted to. Note that only certain setups using non-default RBAC rules for OpenStack Compute were affected.
This issue has been addressed in following products:
OpenStack 4 for RHEL 6
Via RHSA-2014:1084 https://rhn.redhat.com/errata/RHSA-2014-1084.html