Vulnerabilities > CVE-2014-7144 - Cryptographic Issues vulnerability in Openstack Keystonemiddleware and Python-Keystoneclient

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
openstack
CWE-310
nessus
NVD
Published: 2014-10-02
Updated: 2016-11-28

Summary

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

Vulnerable Configurations

Part Description Count
Application
Openstack
11

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2705-1.NASL
    descriptionQin Zhao discovered Keystone disabled certification verification when the
    last seen2020-06-01
    modified2020-06-02
    plugin id85253
    published2015-08-06
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85253
    titleUbuntu 14.04 LTS / 15.04 : python-keystoneclient, python-keystonemiddleware vulnerabilities (USN-2705-1)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_KEYSTONE_20141120.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the
    last seen2020-06-01
    modified2020-06-02
    plugin id80660
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80660
    titleOracle Solaris Third-Party Patch Update : keystone (cve_2014_7144_cryptographic_issues)

Redhat

advisories
  • rhsa
    idRHSA-2014:1783
  • rhsa
    idRHSA-2014:1784
  • rhsa
    idRHSA-2015:0020
rpms
  • python-keystoneclient-1:0.9.0-5.el6ost
  • python-keystoneclient-doc-1:0.9.0-5.el6ost
  • python-keystoneclient-1:0.9.0-5.el7ost
  • python-keystoneclient-doc-1:0.9.0-5.el7ost
  • python-keystoneclient-1:0.7.1-5.el6ost
  • python-keystoneclient-doc-1:0.7.1-5.el6ost

References