Openstack VMT reports: Title: Keystone privilege escalation through trust chained delegation Reporter: Steven Hardy (Red Hat) Products: Keystone Versions: up to 2013.2.3, and 2014.1 to 2014.1.1 Description: Steven Hardy from Red Hat reported a vulnerability in Keystone chained delegation. By creating a delegation from a trust or OAuth token, a trustee may abuse the identity impersonation against keystone and circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's projects and or roles. All Keystone deployments configured to enable trusts are affected, which has been the default since Grizzly.
Acknowledgements: This issue was discovered by Steven Hardy of Red Hat.
Created attachment 904902 [details] CVE-2014-3476 patch for stable/havana
Created attachment 904920 [details] CVE-2014-3476 patch for stable/icehouse
Created attachment 904933 [details] CVE-2014-3476 patch for master (juno)
(In reply to Vincent Danen from comment #5) > Created attachment 904902 [details] > CVE-2014-3476 patch for stable/havana There has been a minor change in posted Havana review (unit tests only): https://review.openstack.org/#/c/99703/1..2/keystone/tests/test_v3_auth.py,unified
This is now public http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html Please create Fedora clone.
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1108964] Affects: epel-6 [bug 1108965]
IssueDescription: A flaw was found in keystone's chained delegation. A trustee able to create a delegation from a trust or an OAuth token could misuse identity impersonation to bypass the enforced scope, possibly allowing them to obtain elevated privileges to the trustor's projects and roles.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 OpenStack 4 for RHEL 6 Via RHSA-2014:0994 https://rhn.redhat.com/errata/RHSA-2014-0994.html
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.