Merge branch 'feat/blog-sec-keystone' into staging

garloff · garloff · commit 111c4e58604f · 2026-05-29T12:18:07.000+02:00
diff --git a/blog/2026-05-28-keystone.md b/blog/2026-05-28-keystone.md
@@ -0,0 +1,111 @@
+---
+title: Multiple Keystone vulnerabilities affecting credential delegation and authorization (OSSA-2026-015)
+authors: [garloff]
+slug: keystone_credential_delegation_auth_bypass_ossa_2026_015
+tags: [security, openstack, keystone, cve]
+---
+
+## The vulnerability
+
+A series of five related vulnerabilities has been identified in OpenStack
+Keystone that impact how credentials are delegated and how authorization
+policies are enforced. These vulnerabilities allow authenticated attackers to
+bypass security boundaries, impersonate users, and potentially escalate
+privileges to cloud administrator.
+
+The core issues are:
+
+- **RBAC Policy Bypass (CVE-2026-42999):** An attacker can inject RBAC policy
+  targets via a JSON request body, allowing them to bypass authorization on
+  protected endpoints. This can lead to the reading of credential secrets and
+  escalation to cloud admin.
+
+- **Application Credential Impersonation (CVE-2026-42998 & CVE-2026-43000):**
+  Keystone failed to verify if the caller owned the Application Credential
+  being used. This allows for user impersonation within a project, which can be
+  chained with "trust" operations to escalate privileges from a project member to
+  an administrator.
+
+- **Cross-Project EC2 Credentials (CVE-2026-43001):** Application credentials
+  scoped to one project could be used to create EC2-style credentials for a
+i different project, enabling lateral movement across tenant boundaries.
+
+- **Federated Token Rescoping (CVE-2026-44394):** In SAML2/OIDC deployments,
+  federated users can maintain access indefinitely by repeatedly rescoping
+  tokens, as Keystone issues a fresh full-TTL token instead of inheriting the
+  original expiry.
+
+These issues were reported by Boris Bobrov (SAP SE), Tim Shepherd (roiai.ca),
+Erichen (Institute of Computing Technology, CAS), and Artem Goncharov
+(SysEleven GmbH).
+
+## Impact on the SCS software ecosystem
+
+These vulnerabilities pose a significant risk to SCS clouds. Because SCS
+environments rely heavily on S3 compatibility—which utilizes EC2-style
+credentials—the ability to perform cross-project lateral movement
+(CVE-2026-43001) is a direct threat to tenant isolation.
+
+Furthermore, the RBAC bypass (CVE-2026-42999) is particularly severe as it
+undermines the fundamental security model of the cloud, potentially allowing an
+authenticated user to gain full administrative control over the entire Keystone
+service. For deployments using federated identity (SAML2/OIDC), the ability to
+bypass session expiration (CVE-2026-44394) also weakens the security posture
+regarding user lifecycle management.
+
+## Embargo
+
+The issues were reported to the OpenStack Vulnerability Management Team.
+Following coordination with the reporters and upstream developers, the official
+OpenStack Security Advisory
+[OSSA-2026-015](https://security.openstack.org/ossa/OSSA-2026-015.html) was
+published on Tuesday, 2026-05-28.
+
+## Mitigation and Fixes
+
+The primary remediation is to upgrade Keystone to the patched versions provided
+by the upstream OpenStack project.
+
+**Note:** For users with highly customized trust policies, please be aware that
+the fix for CVE-2026-42999 modifies the trust policy structure. This may
+require manual updates to your custom policies to ensure continued
+functionality for services like Heat or image uploads.
+
+The SCS ecosystem software providers are providing fixed keystone images:
+
+- [OSISM](https://osism.tech/docs/appendix/security/ossa-2026-015)
+- [yaook](https://yaook.cloud/security-advisories-cve-2026-33551)
+
+## References
+
+* [OSSA-2026-015 Advisory](https://security.openstack.org/ossa/OSSA-2026-015.html)
+* [Launchpad Bug #2148398](https://bugs.launchpad.net/keystone/+bug/2148398),
+  [#2148477](https://bugs.launchpad.net/keystone/+bug/2148477),
+  [#2149775](https://bugs.launchpad.net/keystone/+bug/2149775),
+  [#2149789](https://bugs.launchpad.net/keystone/+bug/2149789),
+  [#2150089](https://bugs.launchpad.net/keystone/+bug/2150089),
+  [#2150379](https://bugs.launchpad.net/keystone/+bug/2150379)
+* [CVE-2026-42998](https://www.cve.org/CVERecord?id=CVE-2026-42998),
+  [CVE-2026-42999](https://www.cve.org/CVERecord?id=CVE-2026-42999),
+  [CVE-2026-43000](https://www.cve.org/CVERecord?id=CVE-2026-43000),
+  [CVE-2026-43001](https://www.cve.org/CVERecord?id=CVE-2026-43001),
+  [CVE-2026-44394](https://www.cve.org/CVERecord?id=CVE-2026-44394)
+
+## Thanks
+
+The author would like to thank Boris Bobrov, Tim Shepherd, Erichen, and Artem
+Goncharov for their work in discovering and reporting these critical
+vulnerabilities and the OpenStack Vulnerabilty Mangement Team for handling
+and coordinating this and the OpenStack keystone upstream developers for
+addressing the issues.
+
+## Sovereign Cloud Stack Security Contact
+
+SCS security contact is
+[security@scs.community](mailto:security@scs.community), as published on
+[https://sovereigncloudstack.org/.well-known/security.txt](https://sovereigncloudstack.org/.well-known/security.txt).
+
+## Version history
+
+- Initial draft, v0.1, 2026-05-28, 16:00 CEST
+- Release, v1.0, 2026-05-29, 12:00 CEST
