Ubuntu 13.10 : keystone vulnerability (USN-2061-1)

Medium Nessus Plugin ID 71564


The remote Ubuntu host is missing a security-related patch.


Steven Hardy discovered that Keystone did not properly enforce trusts when using the ec2tokens API. An authenticated attacker could exploit this to retrieve a token not scoped to the trust and elevate privileges to the trustor's roles.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Update the affected python-keystone package.

Plugin Details

Severity: Medium

ID: 71564

File Name: ubuntu_USN-2061-1.nasl

Version: $Revision: 1.4 $

Type: local

Agent: unix

Published: 2013/12/20

Modified: 2016/05/25

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:python-keystone, cpe:/o:canonical:ubuntu_linux:13.10

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/12/19

Reference Information

CVE: CVE-2013-6391

BID: 64253

OSVDB: 100870

USN: 2061-1