Detections
Analytics

Debian dla-4611 : keystone - security update

high Nessus Plugin ID 318131

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4611 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4611-1 [email protected] https://www.debian.org/lts/security/ Santiago Ruano Rincn May 31, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : keystone Version : 2:18.1.0-1+deb11u3 CVE ID : CVE-2026-33551 CVE-2026-40683 CVE-2026-42998 CVE-2026-42999 CVE-2026-43000 CVE-2026-43001 CVE-2026-44394 Debian Bug : 1133118 1133884 1135645

 Multiple vulnerabilities have been found in Keystone, the OpenStack identity service, including privilege escalation and authorization and access control flaws.

 CVE-2026-33551

 An authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3/s3api) are affected. Reported by Maxence Bornecque, from Orange Cyberdefense CERT Vulnerability Intelligence Watch Team.

 CVE-2026-40683

 LDAP identity backend does not convert enabled attribute to boolean. When the user_enabled_invert configuration option was False (the default), Keystone did not correctly interpret the LDAP enabled attribute, causing users disabled in LDAP to be treated as enabled and allowed to authenticate. Deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.
 Independently reported by Benedikt Trefzer and Andrew Bogott.

 CVE-2026-42998

 Application credential authentication does not verify the caller owns the credential, allowing user impersonation within a shared project.
 Reported by Boris Bobrov, from SAP SE.

 CVE-2026-42999

 An attacker can inject RBAC policy targets via the JSON request body, bypassing authorization on any policy-protected endpoint. Allows reading all credential secrets, creating credentials for arbitrary users, and granting admin across domains. Reported by Boris Bobrov, from SAP SE.

 CVE-2026-43000

 The impersonation from CVE-2026-42998 can be chained with trusts to escalate from member to admin. The resulting trust persists independently of the original credential. Reported by Boris Bobrov, from SAP SE.

 CVE-2026-43001

 Application credentials scoped to one project can create EC2 credentials for a different project. Reported by Tim Shepherd, roiai.ca.

 CVE-2026-44394

 Federated users can maintain access indefinitely by repeatedly re-scoping tokens before expiry. Each re-scope issues a fresh full-TTL token instead of inheriting the original expiry. Only SAML2/OIDC deployments are affected. Reported by Erichen, Institute of Computing Technology, Chinese Academy of Sciences.

 For Debian 11 bullseye, these problems have been fixed in version 2:18.1.0-1+deb11u3.

 We recommend that you upgrade your keystone packages.

 For the detailed security status of keystone please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/keystone

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the keystone packages.

See Also

https://security-tracker.debian.org/tracker/source-package/keystone

https://security-tracker.debian.org/tracker/CVE-2026-33551

https://security-tracker.debian.org/tracker/CVE-2026-40683

https://security-tracker.debian.org/tracker/CVE-2026-42998

https://security-tracker.debian.org/tracker/CVE-2026-42999

https://security-tracker.debian.org/tracker/CVE-2026-43000

https://security-tracker.debian.org/tracker/CVE-2026-43001

https://security-tracker.debian.org/tracker/CVE-2026-44394

https://packages.debian.org/source/bullseye/keystone

Plugin Details

Severity: High

ID: 318131

File Name: debian_DLA-4611.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/1/2026

Updated: 6/1/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-43001

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python3-keystone, p-cpe:/a:debian:debian_linux:keystone-doc, p-cpe:/a:debian:debian_linux:keystone

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/31/2026

Vulnerability Publication Date: 4/10/2026

Reference Information

CVE: CVE-2026-33551, CVE-2026-40683, CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394