[Bug 2119646] Fix merged to swift (unmaintained/2024.1)
OpenStack Infra
2119646 at bugs.launchpad.net
Tue Nov 11 20:50:00 UTC 2025
Reviewed: https://review.opendev.org/c/openstack/swift/+/966068
Committed: https://opendev.org/openstack/swift/commit/ec975b1c74760421f1c25bdd0982f6ecf3eeb0ee
Submitter: "Zuul (22348)"
Branch: unmaintained/2024.1
commit ec975b1c74760421f1c25bdd0982f6ecf3eeb0ee
Author: Tim Burke <tim.burke at gmail.com>
Date: Fri Oct 31 09:11:39 2025 -0700
s3token: Pass service auth token to Keystone
Recent versions of Keystone require auth tokens when accessing the
/v3/s3tokens endpoint to prevent exposure of a lot of information that
a user who just has a presigned URL should not be able to see.
UpgradeImpact
=============
The s3token middleware now requires Keystone auth credentials to be
configured. If secret_cache_duration is enabled, these credentials
should already be configured. Without these credentials, Keystone users
will no longer be able to make S3 API requests.
Closes-Bug: #2119646
Change-Id: Ie80bc33d0d9de17ca6eaad3b43628724538001f6
Signed-off-by: Tim Burke <tim.burke at gmail.com>
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2119646
Title:
presigned S3 URLs can be used to obtain a full access to the keystone
account
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Status in OpenStack Object Storage (swift):
Fix Released
Status in keystone package in Ubuntu:
Confirmed
Bug description:
Keystone ec2tokens API allows to use the awsv4 signature to obtain the
token, see an example https://github.com/kayrus/ec2auth
The ec2tokens API logic can be used to obtain the keystone token from
the presigned URLs
(https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html).
Fortunately after the
https://security.openstack.org/ossa/OSSA-2020-003.html the default
time window to obtain the token was reduced to 15 minutes from the
moment, when the presigned URL was generated.
This is not a problem in AWS environment, and such links are widely
used in Internet to share files. Presigned URLs are also used in
software like Harbor or Quay, where such links are generated
dynamically, thus the 15m TTL window is not an obstacle.
Working exploits:
ec2tokens.py - ec2tokens API works within 15 minutes (default TTL)
after the presigned URL was generated. Once the token is generated, an
attacker can use it to create new ec2 credentials / application
credentials and gain full access to the user account.
s3tokens.py - s3tokens API works with any presigned URL generated with
keystone ec2 credentials, independently on the TTL. Fortunately this
API only exposes the keystone token scope, not the actual token.
-----------------------------
Impact:
Huge for software that uses dynamically generated presign URLs with
Keystone EC2 credentials. Github is also full of presigned URLs and
it's quite easy to search for presigned URLs, which were generated in
public OpenStack clouds. And an attacker can subscribe to periodically
updated repositories that publish new presigned URLs and obtain an
account access within 15 minutes once the URL was generated.
For presigned URLs, which were created after 15 minutes, an attacker
can use s3tokens API to get a keystone user ID, user name, project ID,
scope, which might be leveraged for other unrelated attacks.
-----------------------------
Mitigations:
Limit ec2auth TTL to minimum, will not help in cases, when presigned
URLs are generated dynamically in services like Harbor or Quay. Full
ec2tokens API block can harm services that rely on ec2tokens API.
Fix:
Not clear how to fix this, since this is a designed behavior. Probably
nobody though about the potential security impact.
See also: https://bugs.launchpad.net/keystone/+bug/1971691
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2119646/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list