Vulnerabilities > CVE-2014-7144 - Cryptographic Issues vulnerability in Openstack Keystonemiddleware and Python-Keystoneclient
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2705-1.NASL description Qin Zhao discovered Keystone disabled certification verification when the last seen 2020-06-01 modified 2020-06-02 plugin id 85253 published 2015-08-06 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85253 title Ubuntu 14.04 LTS / 15.04 : python-keystoneclient, python-keystonemiddleware vulnerabilities (USN-2705-1) NASL family Solaris Local Security Checks NASL id SOLARIS11_KEYSTONE_20141120.NASL description The remote Solaris system is missing necessary patches to address security updates : - OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the last seen 2020-06-01 modified 2020-06-02 plugin id 80660 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80660 title Oracle Solaris Third-Party Patch Update : keystone (cve_2014_7144_cryptographic_issues)
Redhat
| advisories |
| ||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2014-1783.html
- http://rhn.redhat.com/errata/RHSA-2014-1784.html
- http://rhn.redhat.com/errata/RHSA-2015-0020.html
- http://secunia.com/advisories/62709
- http://www.openwall.com/lists/oss-security/2014/09/25/51
- http://www.securityfocus.com/bid/69864
- http://www.ubuntu.com/usn/USN-2705-1
- https://bugs.launchpad.net/python-keystoneclient/+bug/1353315
- http://rhn.redhat.com/errata/RHSA-2014-1783.html
- https://bugs.launchpad.net/python-keystoneclient/+bug/1353315
- http://www.ubuntu.com/usn/USN-2705-1
- http://www.securityfocus.com/bid/69864
- http://www.openwall.com/lists/oss-security/2014/09/25/51
- http://secunia.com/advisories/62709
- http://rhn.redhat.com/errata/RHSA-2015-0020.html
- http://rhn.redhat.com/errata/RHSA-2014-1784.html