Executive Summary

This vulnerability exists in OpenStack Keystone versions 13 through 29. It occurs because the POST /v3/credentials endpoint does not properly validate that the project_id supplied by the caller for an EC2-type credential matches the project of the authenticating application credential.

As a result, an attacker who has an unrestricted application credential for one project (project A) can create an EC2 credential that targets a different project (project B). Later, by using the /v3/ec2tokens endpoint, the attacker can exchange this EC2 credential for a Keystone token scoped to project B, even though the original application credential was for project A.

This allows cross-project lateral movement within the credential owner's role permissions, effectively bypassing project boundaries that should normally restrict access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker who has compromised an application credential for one project to gain unauthorized access to resources in another project where the credential owner has roles.

The attacker can create EC2 credentials scoped to a different project and obtain tokens scoped to that project, enabling lateral movement across projects without needing additional privileges.

This can lead to unauthorized access to sensitive data or operations in other projects, increasing the risk of data breaches or misuse of resources within the OpenStack environment.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability allows an attacker with an unrestricted application credential for one project to create EC2 credentials scoped to another project, enabling cross-project lateral movement. Immediate mitigation steps should focus on restricting the ability to create EC2 credentials with arbitrary project IDs and ensuring strict validation of project scope during credential creation and token exchange.

• Review and update policies controlling access to the /v3/credentials and /v3/ec2tokens endpoints to enforce strict project scope validation.
• Limit the use of unrestricted application credentials and monitor their usage closely.
• Audit and restrict privileged services or gateways that perform token validation and exchange to prevent misuse.
• Apply any available patches or updates from OpenStack Keystone that address this issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass project scope restrictions within OpenStack Keystone, enabling cross-project lateral movement within the victim's role footprint. Such unauthorized access to data and resources across projects could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which mandate strict access controls and data segregation.

By permitting an attacker to obtain tokens scoped to projects they should not have access to, the vulnerability undermines the principle of least privilege and could result in unauthorized access to sensitive personal or health information, thereby impacting compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring and analyzing requests to the OpenStack Keystone service, specifically looking for anomalous or unauthorized use of the /v3/credentials and /v3/ec2tokens endpoints.

You should look for POST requests to /v3/credentials where the project_id parameter does not match the project associated with the authenticating application credential. This mismatch indicates potential exploitation attempts.

Additionally, monitoring POST requests to /v3/ec2tokens that result in tokens scoped to projects different from the original application credential's project can help identify lateral movement attempts.

While no specific commands are provided in the resources, you can use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic to the Keystone endpoints and then filter for suspicious POST requests.

• Use tcpdump to capture traffic on the Keystone API port (usually 5000): tcpdump -i <interface> -A 'tcp port 5000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Filter captured traffic for POST requests to /v3/credentials and /v3/ec2tokens endpoints.
• Analyze logs from Keystone for application credential creation events and token issuance events, checking for project_id mismatches.

Implementing custom scripts or log analysis tools to correlate application credential project IDs with the project IDs in EC2 credentials and tokens can help automate detection.

Useful 0 Not Useful 0