[Bug 2119646] Re: presigned S3 URLs can be used to obtain a full access to the keystone account
Ubuntu Foundations Team Bug Bot
2119646 at bugs.launchpad.net
Fri Nov 7 04:31:23 UTC 2025
The attachment "WiP patch" seems to be a patch. If it isn't, please
remove the "patch" flag from the attachment, remove the "patch" tag, and
if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2119646
Title:
presigned S3 URLs can be used to obtain a full access to the keystone
account
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Status in OpenStack Object Storage (swift):
Fix Released
Status in keystone package in Ubuntu:
Confirmed
Bug description:
Keystone ec2tokens API allows to use the awsv4 signature to obtain the
token, see an example https://github.com/kayrus/ec2auth
The ec2tokens API logic can be used to obtain the keystone token from
the presigned URLs
(https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
Fortunately after the
https://security.openstack.org/ossa/OSSA-2020-003.html the default
time window to obtain the token was reduced to 15 minutes from the
moment, when the presigned URL was generated.
This is not a problem in AWS environment, and such links are widely
used in Internet to share files. Presigned URLs are also used in
software like Harbor or Quay, where such links are generated
dynamically, thus the 15m TTL window is not an obstacle.
Working exploits:
ec2tokens.py - ec2tokens API works within 15 minutes (default TTL)
after the presigned URL was generated. Once the token is generated, an
attacker can use it to create new ec2 credentials / application
credentials and gain full access to the user account.
s3tokens.py - s3tokens API works with any presigned URL generated with
keystone ec2 credentials, independently on the TTL. Fortunately this
API only exposes the keystone token scope, not the actual token.
-----------------------------
Impact:
Huge for software that uses dynamically generated presign URLs with
Keystone EC2 credentials. Github is also full of presigned URLs and
it's quite easy to search for presigned URLs, which were generated in
public OpenStack clouds. And an attacker can subscribe to periodically
updated repositories that publish new presigned URLs and obtain an
account access within 15 minutes once the URL was generated.
For presigned URLs, which were created after 15 minutes, an attacker
can use s3tokens API to get a keystone user ID, user name, project ID,
scope, which might be leveraged for other unrelated attacks.
-----------------------------
Mitigations:
Limit ec2auth TTL to minimum, will not help in cases, when presigned
URLs are generated dynamically in services like Harbor or Quay. Full
ec2tokens API block can harm services that rely on ec2tokens API.
Fix:
Not clear how to fix this, since this is a designed behavior. Probably
nobody though about the potential security impact.
See also: https://bugs.launchpad.net/keystone/+bug/1971691
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2119646/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list