CVE-2012-4456

2012.1.1: fails to validate tokens in Admin API

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.

(1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elección u obtener, crear o eliminar servicios de su elección.

Keystone is a Python implementation of the OpenStack identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-08-21 CVE Reserved
2012-10-09 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication
CWE-304: Missing Critical Step in Authentication

CAPEC

References (13)

URL	Tag	Source
http://www.securityfocus.com/bid/55716	Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1006815	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/78944	Third Party Advisory
https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1	Third Party Advisory
https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb	Third Party Advisory
https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431	Third Party Advisory
https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2012/09/28/5	2023-02-13
https://bugs.launchpad.net/keystone/+bug/1006822	2023-02-13
https://lists.launchpad.net/openstack/msg17034.html	2023-02-13

URL	Date	SRC
http://secunia.com/advisories/50665	2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=861179	2012-10-16
https://access.redhat.com/security/cve/CVE-2012-4456	2012-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				>= 2012.1 < 2012.1.2 Search vendor "Openstack" for product "Keystone" and version " >= 2012.1 < 2012.1.2"		-		Affected
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				2012.2 Search vendor "Openstack" for product "Keystone" and version "2012.2"		milestone1		Affected