Vulnerabilities > CVE-2013-6391 - Improper Privilege Management vulnerability in multiple products

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE

Summary

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

Vulnerable Configurations

Part Description Count
Application
Openstack
1
Application
Redhat
1
OS
Canonical
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2061-1.NASL
    descriptionSteven Hardy discovered that Keystone did not properly enforce trusts when using the ec2tokens API. An authenticated attacker could exploit this to retrieve a token not scoped to the trust and elevate privileges to the trustor
    last seen2020-06-01
    modified2020-06-02
    plugin id71564
    published2013-12-20
    reporterUbuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71564
    titleUbuntu 13.10 : keystone vulnerability (USN-2061-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2061-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(71564);
      script_version("1.7");
      script_cvs_date("Date: 2019/09/19 12:54:29");
    
      script_cve_id("CVE-2013-6391");
      script_bugtraq_id(64253);
      script_xref(name:"USN", value:"2061-1");
    
      script_name(english:"Ubuntu 13.10 : keystone vulnerability (USN-2061-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Steven Hardy discovered that Keystone did not properly enforce trusts
    when using the ec2tokens API. An authenticated attacker could exploit
    this to retrieve a token not scoped to the trust and elevate
    privileges to the trustor's roles.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2061-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected python-keystone package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-keystone");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:13.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/12/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/12/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(13\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 13.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"13.10", pkgname:"python-keystone", pkgver:"1:2013.2-0ubuntu1.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-keystone");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-4210.NASL
    descriptionupdated to stable grizzly 2013.1.5 release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-04-07
    plugin id73353
    published2014-04-07
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73353
    titleFedora 19 : openstack-keystone-2013.1.5-2.fc19 (2014-4210)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2014-4210.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73353);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2013-6391", "CVE-2014-2237");
      script_bugtraq_id(64253, 65895);
      script_xref(name:"FEDORA", value:"2014-4210");
    
      script_name(english:"Fedora 19 : openstack-keystone-2013.1.5-2.fc19 (2014-4210)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "updated to stable grizzly 2013.1.5 release
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1039164"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1071434"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131150.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?68c9a028"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openstack-keystone package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openstack-keystone");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC19", reference:"openstack-keystone-2013.1.5-2.fc19")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openstack-keystone");
    }
    

Redhat

advisories
rhsa
idRHSA-2014:0089
rpms
  • openstack-keystone-0:2013.2.1-1.el6ost
  • openstack-keystone-doc-0:2013.2.1-1.el6ost
  • python-keystone-0:2013.2.1-1.el6ost
  • openstack-keystone-0:2013.1.5-2.el6ost
  • openstack-keystone-doc-0:2013.1.5-2.el6ost
  • python-keystone-0:2013.1.5-2.el6ost

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:64253 CVE ID:CVE-2013-6391 Keystone是Openstack中用于身份验证的项目,任何服务请求需要经过它的验证获得服务的endpoint。 OpenStack Keystone在使用trust-scoped令牌生成EC2验证凭据时ec2tokens API存在一个安全漏洞,允许远程利用漏洞访问其他受限委托人角色(trustor's roles),提升权限。 要成功利用漏洞需要应用启用了EC2-style验证。 0 OpenStack Keystone 2013.x 目前厂商暂无提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.openstack.org/
idSSV:61131
last seen2017-11-19
modified2013-12-16
published2013-12-16
reporterRoot
titleOpenStack Keystone EC2-style令牌校验特权提升漏洞