An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create     an EC2 credential for themselves for a project that they have a specified role on, and then perform an     update to the credential user and project, allowing them to masquerade as another user. This potentially     allows a malicious user to act as the admin on a project another user has the admin role on, which can     effectively grant that user global admin privileges. (CVE-2020-12691)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4480-1 advisory.

    It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker     with a limited scope could possibly create EC2 credentials with escalated permissions. (CVE-2020-12689,     CVE-2020-12691)

    It was discovered that OpenStack Keystone incorrectly handled the list of roles provided with OAuth1     access tokens. An authenticated user could possibly end up with more role assignments than intended.
    (CVE-2020-12690)

    It was discovered that OpenStack Keystone incorrectly handled EC2 signature TTL checks. A remote attacker     could possibly use this issue to reuse Authorization headers. (CVE-2020-12692)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3102 advisory.

    The OpenStack Identity service (keystone) authenticates and authorizes     OpenStack users by keeping track of users and their permitted activities.
    The Identity service supports multiple forms of authentication, including     user name and password credentials, token-based systems, and AWS-style     logins.

    Security Fix(es):

    * EC2 and credential endpoints are not protected from a scoped context     (CVE-2020-12689)

    * OAuth1 request token authorize silently ignores roles parameter     (CVE-2020-12690)

    * Credentials endpoint policy logic allows changing credential owner and     target project ID (CVE-2020-12691)

    * failure to check signature TTL of the EC2 credential auth method     (CVE-2020-12692)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3105 advisory.

    The OpenStack Identity service (keystone) authenticates and authorizes     OpenStack users by keeping track of users and their permitted activities.
    The Identity service supports multiple forms of authentication, including     user name and password credentials, token-based systems, and AWS-style     logins.

    Security Fix(es):

    * EC2 and credential endpoints are not protected from a scoped context     (CVE-2020-12689)

    * OAuth1 request token authorize silently ignores roles parameter     (CVE-2020-12690)

    * Credentials endpoint policy logic allows changing credential owner and     target project ID (CVE-2020-12691)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3096 advisory.

    The OpenStack Identity service (keystone) authenticates and authorizes     OpenStack users by keeping track of users and their permitted activities.
    The Identity service supports multiple forms of authentication, including     user name and password credentials, token-based systems, and AWS-style     logins.

    Security Fix(es):

    * EC2 and credential endpoints are not protected from a scoped context     (CVE-2020-12689)

    * Credentials endpoint policy logic allows changing credential owner and     target project ID (CVE-2020-12691)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2732 advisory.

    The OpenStack Identity service (keystone) authenticates and authorizes     OpenStack users by keeping track of users and their permitted activities.
    The Identity service supports multiple forms of authentication, including     user name and password credentials, token-based systems, and AWS-style     logins.

    Security Fix(es):

    * EC2 and credential endpoints are not protected from a scoped context     (CVE-2020-12689)

    * Credentials endpoint policy logic allows changing credential owner and     target project ID (CVE-2020-12691)

    * failure to check signature TTL of the EC2 credential auth method     (CVE-2020-12692)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
250898	Linux Distros Unpatched Vulnerability : CVE-2020-12691	Nessus	Misc.	high
140178	Ubuntu 18.04 LTS : OpenStack Keystone vulnerabilities (USN-4480-1)	Nessus	Ubuntu Local Security Checks	high
138850	RHEL 8 : openstack-keystone (RHSA-2020:3102)	Nessus	Red Hat Local Security Checks	high
138848	RHEL 8 : openstack-keystone (RHSA-2020:3105)	Nessus	Red Hat Local Security Checks	high
138846	RHEL 7 : openstack-keystone (RHSA-2020:3096)	Nessus	Red Hat Local Security Checks	high
137759	RHEL 7 : openstack-keystone (RHSA-2020:2732)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-12691

high

Tenable Plugins

high

high

high

high

high

high