ID CVE-2013-0282
Summary OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:keystone:2012.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2:milestone2:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2012.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2012.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2013.1:milestone1:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2013.1:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2013.1:milestone2:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2013.1:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystone:2013.1:milestone3:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystone:2013.1:milestone3:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 16-11-2018 - 14:45)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components. MITM attacks differ from sniffing attacks since they often modify the communications prior to delivering it to the intended recipient. These attacks also differ from interception attacks since they may forward the sender's original unmodified data, after copying it, instead of keeping it for themselves.
  • Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Session Hijacking
    This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The advarsary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
  • Fake the Source of Data
    An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Identity Spoofing
    Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.
  • Token Impersonation
    An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
  • Authentication Bypass
    An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.
  • Exploiting Trust in Client
    An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Upload a Web Shell to a Web Server
    By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
rpms
  • openstack-keystone-0:2012.2.3-3.el6ost
  • openstack-keystone-doc-0:2012.2.3-3.el6ost
  • python-keystone-0:2012.2.3-3.el6ost
refmap via4
confirm
mlist [oss-security] 20130219 [OSSA 2013-005] Keystone EC2-style authentication accepts disabled user/tenants (CVE-2013-0282)
Last major update 16-11-2018 - 14:45
Published 12-04-2013 - 22:55
Last modified 16-11-2018 - 14:45
Back to Top