Adding OSSN-0064
This OSSN addresses an issue with OpenStack Keystone https://bugs.launchpad.net/ossn/+bug/1545789 Change-Id: I82de823c45bfbec3bbea7d1bebf4d530966507ff
This commit is contained in:
		
							
								
								
									
										72
									
								
								security-notes/OSSN-0064
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										72
									
								
								security-notes/OSSN-0064
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,72 @@ | ||||
| Keystone admin_token_auth use by default causes insecure operation | ||||
| --- | ||||
|  | ||||
| ### Summary ### | ||||
| A Keystone setting intended for use only during initial installation is | ||||
| often left configured in its default value by OpenStack deployers. | ||||
|  | ||||
| An attacker could gain administrative access to the Keystone API by | ||||
| providing the string "ADMIN" as a token. | ||||
|  | ||||
| ### Affected Services / Software ### | ||||
| Keystone, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo, Liberty, Mitaka | ||||
|  | ||||
| ### Discussion ### | ||||
| The Keystone service supports an authentication middleware called | ||||
| "admin_token_auth". This provides a simple token for accessing the | ||||
| Keystone API and is intended to be used only for the initial setup of | ||||
| Keystone, allowing the deployer access to the Keystone API which can be | ||||
| used to setup appropriate Keystone administrator accounts. | ||||
|  | ||||
| The "admin_token_auth" method is configured through the | ||||
| keystone-paste.ini file. The token for the "ADMIN_TOKEN" that this | ||||
| method validates against is set in the keystone.conf file. | ||||
|  | ||||
| Some deployments copy these files from the example versions and use them | ||||
| unchanged. This means that some production OpenStack clouds may have | ||||
| "admin_token_auth" enabled and "ADMIN_TOKEN" set to the default value | ||||
| of "ADMIN". | ||||
|  | ||||
| It is likely that OpenStack deployments using the default Keystone | ||||
| configuration files are vulnerable to exploitation by an attacker who accesses | ||||
| the API using a token of "ADMIN". | ||||
|  | ||||
| ### Recommended Actions ### | ||||
| Use of "ADMIN_TOKEN" for bootstrapping Keystone deployments is | ||||
| deprecated and will be removed in a future release. Deployers are | ||||
| encouraged to bootstrap Keystone using the 'bootstrap' feature of the | ||||
| keystone-manage CLI tool: | ||||
|  | ||||
|   $ keystone-manage bootstrap --bootstrap-password s3cr3t | ||||
|  | ||||
| Existing deployments should remove the "admin_token_auth" middleware | ||||
| from the API pipelines in keystone-paste.ini. | ||||
|  | ||||
| ---- begin bad keystone-paste.ini snippet ---- | ||||
|     [pipeline:public_api] | ||||
|     pipeline =  [...] token_auth admin_token_auth json_body [...] | ||||
|  | ||||
|     [pipeline:admin_api] | ||||
|     pipeline = [...] token_auth admin_token_auth json_body [...] | ||||
|  | ||||
|     [pipeline:api_v3] | ||||
|     pipeline = [...] token_auth admin_token_auth json_body [...] | ||||
| ---- end bad keystone-paste.ini snippet ---- | ||||
|  | ||||
| ---- begin good keystone-paste.ini snippet ---- | ||||
|     [pipeline:public_api] | ||||
|     pipeline = [...] token_auth json_body [...] | ||||
|  | ||||
|     [pipeline:admin_api] | ||||
|     pipeline = [...] token_auth json_body [...] | ||||
|  | ||||
|     [pipeline:api_v3] | ||||
|     pipeline = [...] token_auth json_body [...] | ||||
| ---- end good keystone-paste.ini snippet ---- | ||||
|  | ||||
| ### Contacts / References ### | ||||
| This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0064 | ||||
| Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1545789 | ||||
| Mailing list [Security] tag on : openstack-dev@lists.openstack.org | ||||
| OpenStack Security Group : https://launchpad.net/~openstack-ossg | ||||
| Keystone Change : https://review.openstack.org/#/c/282104/1/releasenotes/notes/admin_token-c634ec12fc714255.yaml | ||||
		Reference in New Issue
	
	Block a user
	 Robert Clark
					Robert Clark