OpenStack Keystonemiddleware Privilege Escalation Vulnerability via Spoofed Identity Headers in External OAuth2 Tokens

A vulnerability exists in OpenStack Keystonemiddleware versions 10.5.0 prior to 10.7.2, 10.8.0 prior to 10.9.1, and 10.10.0 prior to 10.12.1. The issue arises in the external_oauth2_token middleware, which does not properly sanitize incoming authentication headers before processing OAuth 2.0 tokens. This flaw allows an authenticated attacker to send forged identity headers, such as X-Is-Admin-Project, X-Roles, or X-User-Id, potentially leading to unauthorized privilege escalation or impersonation of other users. All deployments utilizing the external_oauth2_token middleware are vulnerable.

Impact

Exploitation of this vulnerability allows authenticated users to escalate privileges to project administrator, bypassing role limits and gaining unauthorized access to administrative capabilities.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request that includes forged identity headers. The external_oauth2_token middleware must be active, which can be configured in the service's api-paste.ini file. Once the middleware is enabled, the request can be processed with the spoofed headers, exploiting the lack of sanitation and resulting in privilege escalation.

Remediation

Users can upgrade to OpenStack Keystonemiddleware versions 10.12.1 or 11.0.0 to address this vulnerability. Instructions for applying the update are available in the OpenStack documentation.