OpenStack Identity (keystone)

Application credentials of other users can be deleted when knowing the ID

Bug #1901207 reported by Arjen on 2020-10-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

Intro
-----
While performing a penetration test on a new OpenStack install of version Train, we found a vulnerability that could lead to a Denial of Service condition. Using an installation of DevStack we verified that the issue is still present.

Description
-----------
In the test situation we had two, separate, projects, each with their own user. Users were only authorised for their own project, not for the other's project.

After creating an application credential for user A, we were able to delete that credential with user B by issuing the OpenStack application credential delete command with the credential ID as parameter.

Apparently, there is no authorisation check on the delete (and show) action and anyone who knows the credential ID can remove it, potentially creating a Denial of Service attack on the affected project.

Precondition
------------
- Logged in user (user B)
- Knowing the ID of an application credential of another user (user A)

Discovered on October 8, 2020 by Arjen Zijlstra (<email address hidden>) and Arthur Donkers (arthur@1secure.nl)

See original description

Tags:

Arjen (i2rcnasjfnk3) on 2020-10-23

description:	updated
description:	updated
description:	updated

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-10-23:

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-10-23:

In the past, OpenStack's vulnerability managers have considered exploit scenarios requiring the malicious actor to guess or otherwise obtain version 4 UUIDs for resources to which they're not entitled as impractical and safe to discuss in public, class C1 in our report taxonomy:

https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Are there unusual circumstances for this report which should require private discussion under embargo instead?

Revision history for this message

Arjen (i2rcnasjfnk3) wrote on 2020-10-23:

Not from our side.

Revision history for this message

Gage Hugo (gagehugo) wrote on 2020-10-23:

C1 seems appropriate here, alongside making this public.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2020-10-26:

I have switched this bug to public, treating it as a security hardening opportunity pending further insights from reviewers.

description:	updated
information type:	Private Security → Public
Changed in ossa:
status:	Incomplete → Won't Fix
tags:	added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-02: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/760972

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	New → In Progress

Lance Bragstad (lbragstad) on 2020-11-02

Changed in keystone:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-26: Fix included in openstack/keystone 19.0.0.0rc1

This issue was fixed in the openstack/keystone 19.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-03: Fix merged to keystone (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/769221
Committed: https://opendev.org/openstack/keystone/commit/6b739ffc337ad5491b027a4c2312bf3f461079c8
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 6b739ffc337ad5491b027a4c2312bf3f461079c8
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 2 17:22:49 2020 +0000

Use app cred user ID in policy enforcement

    The application credential policies use the `rule:owner` policy to allow
    users to manage their own credentials. The policy engine pulled the
    user_id attribute from the request path instead of the actual
    application credential. This allowed for users to exploit the
    enforcement and view or delete application credentials they don't own.

    This commit attempts to resolve the issue by updating the flask
    parameters before they're translated to policy arguments and target
    data, prior to policy enforcement.

    Change-Id: I903d20fa41270499ca1c39d296120dd97cef5405
    Closes-Bug: 1901207
    (cherry picked from commit 2d7bf10a5a145ed3b6e34c3cb95e05fb7e33e0d1)
    (cherry picked from commit 80832de6ced534bccbf7cfe24a6a01c8262c1779)

tags:

added: in-stable-ussuri

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-03: Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/769222
Committed: https://opendev.org/openstack/keystone/commit/9c879d46bf40f8a11e8033406bb1b8861baf3f51
Submitter: "Zuul (22348)"
Branch: stable/train

commit 9c879d46bf40f8a11e8033406bb1b8861baf3f51
Author: Lance Bragstad <email address hidden>
Date: Mon Nov 2 17:22:49 2020 +0000

Use app cred user ID in policy enforcement

    This commit attempts to resolve the issue by updating the flask
    parameters before they're translated to policy arguments and target
    data, prior to policy enforcement.

    This commit also deviates slightly from backports to stable/ussuri,
    stable/victoria, and master (wallaby). This is because newer branches
    use `http.client` to assert status codes and in stable/train we are
    still using `http_client`. This change is functionally the same.