diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md new file mode 100644 index 0000000000..befa0a4cad --- /dev/null +++ b/blog/2026-05-28-keystone.md @@ -0,0 +1,126 @@ +--- +title: Multiple Keystone vulnerabilities affecting credential delegation and authorization (OSSA-2026-015) +authors: [garloff] +slug: keystone_credential_delegation_auth_bypass_ossa_2026_015 +tags: [security, openstack, keystone, cve] +--- + +## The vulnerabilities + +A series of five related vulnerabilities has been identified in OpenStack +Keystone that impact how credentials are delegated and how authorization +policies are enforced. These vulnerabilities allow authenticated attackers to +bypass security boundaries, impersonate users, and potentially escalate +privileges to cloud administrator. + +The core issues are: + +- **RBAC Policy Bypass (CVE-2026-42999):** An attacker can inject RBAC policy + targets via a JSON request body, allowing them to bypass authorization on + protected endpoints. This can lead to the reading of credential secrets and + escalation to cloud admin. + +- **Application Credential Impersonation (CVE-2026-42998 & CVE-2026-43000):** + Keystone failed to verify if the caller owned the Application Credential + being used. This allows for user impersonation within a project, which can be + chained with "trust" operations to escalate privileges from a project member to + an administrator. + +- **Cross-Project EC2 Credentials (CVE-2026-43001):** Application credentials + scoped to one project could be used to create EC2-style credentials for a +different project, enabling lateral movement across tenant boundaries. + +- **Federated Token Rescoping (CVE-2026-44394):** In SAML2/OIDC deployments, + federated users can maintain access indefinitely by repeatedly rescoping + tokens, as Keystone issues a fresh full-TTL token instead of inheriting the + original expiry. + +These issues were reported by Boris Bobrov (SAP SE), Tim Shepherd (roiai.ca), +Erichen (Institute of Computing Technology, CAS), and Artem Goncharov +(SysEleven GmbH). + +## Impact on the SCS software ecosystem + +These vulnerabilities pose a significant risk to SCS clouds. Because SCS +environments rely heavily on S3 compatibility—which utilizes EC2-style +credentials—the ability to perform cross-project lateral movement +(CVE-2026-43001) is a direct threat to tenant isolation. + +Furthermore, the RBAC bypass (CVE-2026-42999) is particularly severe as it +undermines the fundamental security model of the cloud, potentially allowing an +authenticated user to gain full administrative control over the entire Keystone +service. For deployments using federated identity (SAML2/OIDC), the ability to +bypass session expiration (CVE-2026-44394) also weakens the security posture +regarding user lifecycle management. + +## Embargo + +The issues were reported to the OpenStack Vulnerability Management Team. +Following coordination with the reporters and upstream developers, the official +OpenStack Security Advisory +[OSSA-2026-015](https://security.openstack.org/ossa/OSSA-2026-015.html) was +published on Tuesday, 2026-05-28. + +## Mitigation and Fixes + +The primary remediation is to upgrade Keystone to the patched versions provided +by the upstream OpenStack project. + +**Note:** For users with highly customized trust policies, please be aware that +the fix for CVE-2026-42999 modifies the trust policy structure. This may +require manual updates to your custom policies to ensure continued +functionality for services like Heat or image uploads. + +The SCS ecosystem software providers are providing fixed Keystone images: + +- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015) +- [yaook](https://yaook.cloud/security-advisories-cve-2026-33551) + +## Outlook + +We see an increased velocity with which security issues are found in the +IT industry. We're glad to see them reported against the open source projects +that we are using and the community is working hard to address the issues. +Security researchers have become more efficient due to the usage of AI tools +and so have OSS developers - we expect the high volume to continue for the +upcoming months and maybe beyond. + +SCS has always emphasized the ability to patch with confidence on a daily basis +as an important design criterium for the lifecycle management of our components. +It now seems to be needed more than ever. We advise operators to prepare for +this new world and ensure to work on any processual issues that are slowing +them down in deployment. + +## References + +- [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html) +- [Launchpad Bug #2148398](https://bugs.launchpad.net/keystone/+bug/2148398), + [#2148477](https://bugs.launchpad.net/keystone/+bug/2148477), + [#2149775](https://bugs.launchpad.net/keystone/+bug/2149775), + [#2149789](https://bugs.launchpad.net/keystone/+bug/2149789), + [#2150089](https://bugs.launchpad.net/keystone/+bug/2150089), + [#2150379](https://bugs.launchpad.net/keystone/+bug/2150379) +- [CVE-2026-42998](https://www.cve.org/CVERecord?id=CVE-2026-42998), + [CVE-2026-42999](https://www.cve.org/CVERecord?id=CVE-2026-42999), + [CVE-2026-43000](https://www.cve.org/CVERecord?id=CVE-2026-43000), + [CVE-2026-43001](https://www.cve.org/CVERecord?id=CVE-2026-43001), + [CVE-2026-44394](https://www.cve.org/CVERecord?id=CVE-2026-44394) + +## Thanks + +The author would like to thank Boris Bobrov, Tim Shepherd, Erichen, and Artem +Goncharov for their work in discovering and reporting these critical +vulnerabilities and the OpenStack Vulnerability Management Team for handling +and coordinating this and the OpenStack Keystone upstream developers for +addressing the issues. + +## Sovereign Cloud Stack Security Contact + +SCS security contact is +[security@scs.community](mailto:security@scs.community), as published on +[https://sovereigncloudstack.org/.well-known/security.txt](https://sovereigncloudstack.org/.well-known/security.txt). + +## Version history + +- Initial draft, v0.1, 2026-05-28, 16:00 CEST +- Release, v1.0, 2026-05-29, 12:00 CEST