Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 Feb 2013 18:43:55 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2013-005] Keystone EC2-style authentication accepts disabled
 user/tenants (CVE-2013-0282)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-005
CVE: CVE-2013-0282
Date: February 19, 2013
Keystone EC2-style authentication accepts disabled user/tenants
Reporter: Nathanael Burton (National Security Agency)
Products: Keystone
Affects: All versions

Description:
Nathanael Burton reported a vulnerability in EC2-style authentication in
Keystone. Keystone fails to check whether a user, tenant, or domain is
enabled before authenticating a user using the EC2 api. Authenticated,
but disabled users (or authenticated users in disabled tenants or
domains) could therefore retain access rights that were thought removed.
Only setups enabling EC2-style authentication are affected. To disable
EC2-style authentication to work around the issue, remove the EC2
extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone
API pipeline in keystone.conf.

Grizzly (development branch) fix:
https://review.openstack.org/#/c/22319/

Folsom fix:
https://review.openstack.org/#/c/22320/

Essex fix:
https://review.openstack.org/#/c/22321/

References:
https://bugs.launchpad.net/keystone/+bug/1121494
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRI7nbAAoJEFB6+JAlsQQjGHgP/2yHBH4Yvzl3Q0P4oMr2Vskb
9xroi6sEQTgP/KaidIiV2lORdgSqYZZlylW3EbHnR1Io9natqCLfYkkEdpagTUxM
WcYXAJtBHbHN+hpeGiYojPsV1LmgIX81UrausX1k5U1ZtFkvOhrfhcXWPOozREkM
WwhYjaGl14dmIusE7h0uY7VNTiQMI9LAft18OfJMNFTwA/FmkxlPO/Jea8CUwDIl
LSLv+MRFw2M01TnsAYlnFsa9O7175q2DpNPCqXYjh38ewNBJHuArtuASkA7hHrMA
wYUzAS3lho9WuGVG/GwZk1V//GQhpzn/VWxRCmuOS3tpwTksbkXF36kwOnP5Vu5N
uo9jLBAovHIqfr0QGXGYMXA9Bu9jW5geUIuDNvpKkAFIiQVS3JcDWsqsu7otgjHY
HKUKmYF66BAJmmaM7aXPswGs61B6F3SLIZCneOp9N8PnT3PCR57++zMEjEWBYuLw
E4BDKPa1k2Q822hxWizhXAmkfc5t+AVk2kKPa9a5sMY2oNNrqtRR4+jMjXiS9CmU
gQs9VbXrmMy577zcCkzj7ci7fY0iFUtHW7PhFKUpHf2Mpr2/vLwc4p8g5da8bTwU
2swDuJ/KPsd66oEYjQW0CGBymMTkmbZWUX4InAj1ZynESW46cb/CAaS8oGk2I6dC
F3MMfAjNkfhO9srLLNoC
=fWOa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.