[Bug 2119646] Re: [OSSA-2025-002] Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073)

Marc Deslauriers 2119646 at bugs.launchpad.net
Thu Dec 11 19:58:15 UTC 2025 

** No longer affects: keystone (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2119646

Title:
  [OSSA-2025-002] Unauthenticated access to EC2/S3 token endpoints can
  grant Keystone authorization (CVE-2025-65073)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released
Status in OpenStack Object Storage (swift):
  Fix Released

Bug description:
  Keystone ec2tokens API allows to use the awsv4 signature to obtain the
  token, see an example https://github.com/kayrus/ec2auth

  The ec2tokens API logic can be used to obtain the keystone token from
  the presigned URLs
  (https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
  Fortunately after the
  https://security.openstack.org/ossa/OSSA-2020-003.html the default
  time window to obtain the token was reduced to 15 minutes from the
  moment, when the presigned URL was generated.

  This is not a problem in AWS environment, and such links are widely
  used in Internet to share files. Presigned URLs are also used in
  software like Harbor or Quay, where such links are generated
  dynamically, thus the 15m TTL window is not an obstacle.

  Working exploits:

  ec2tokens.py - ec2tokens API works within 15 minutes (default TTL)
  after the presigned URL was generated. Once the token is generated, an
  attacker can use it to create new ec2 credentials / application
  credentials and gain full access to the user account.

  s3tokens.py - s3tokens API works with any presigned URL generated with
  keystone ec2 credentials, independently on the TTL. Fortunately this
  API only exposes the keystone token scope, not the actual token.

  -----------------------------

  Impact:

  Huge for software that uses dynamically generated presign URLs with
  Keystone EC2 credentials. Github is also full of presigned URLs and
  it's quite easy to search for presigned URLs, which were generated in
  public OpenStack clouds. And an attacker can subscribe to periodically
  updated repositories that publish new presigned URLs and obtain an
  account access within 15 minutes once the URL was generated.

  For presigned URLs, which were created after 15 minutes, an attacker
  can use s3tokens API to get a keystone user ID, user name, project ID,
  scope, which might be leveraged for other unrelated attacks.

  -----------------------------

  Mitigations:

  Limit ec2auth TTL to minimum, will not help in cases, when presigned
  URLs are generated dynamically in services like Harbor or Quay. Full
  ec2tokens API block can harm services that rely on ec2tokens API.

  Fix:

  Not clear how to fix this, since this is a designed behavior. Probably
  nobody though about the potential security impact.

  See also: https://bugs.launchpad.net/keystone/+bug/1971691

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2119646/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list