{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/keystone/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-40683"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keystone"],"_cs_severities":["high"],"_cs_tags":["openstack","keystone","ldap","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["OpenStack"],"content_html":"\u003cp\u003eOpenStack Keystone, a core service providing identity, token, catalog, and policy services in OpenStack clouds, contains an authentication bypass vulnerability (CVE-2026-40683) in versions prior to 28.0.1. The vulnerability lies within the LDAP identity backend, specifically in how it processes the user enabled attribute retrieved from the LDAP server. When the \u003ccode\u003euser_enabled_invert\u003c/code\u003e configuration option is set to False (the default configuration), the \u003ccode\u003e_ldap_res_to_model\u003c/code\u003e method in the \u003ccode\u003eUserApi\u003c/code\u003e class fails to correctly convert the LDAP attribute to a boolean value. This flaw causes users marked as disabled in LDAP to be incorrectly treated as enabled within Keystone, granting them unauthorized access and the ability to perform actions within the OpenStack environment. All deployments using the LDAP identity backend without \u003ccode\u003euser_enabled_invert=True\u003c/code\u003e or \u003ccode\u003euser_enabled_emulation\u003c/code\u003e are susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenStack deployment using Keystone with LDAP authentication and the default \u003ccode\u003euser_enabled_invert=False\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains credentials for a user that is marked as disabled within the LDAP directory.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to Keystone using the disabled user's credentials via the standard authentication API endpoint (\u003ccode\u003e/v3/auth/tokens\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eKeystone's LDAP backend retrieves the \u003ccode\u003euser_enabled\u003c/code\u003e attribute for the user from the LDAP server.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Keystone incorrectly interprets the \u0026quot;FALSE\u0026quot; string value from LDAP as a truthy value in Python, effectively treating the disabled user as enabled.\u003c/li\u003e\n\u003cli\u003eKeystone generates an authentication token for the user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the authentication token to access other OpenStack services and resources, bypassing the intended access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions within the OpenStack environment, such as creating instances, accessing data, or modifying configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40683 allows attackers to bypass authentication controls and gain unauthorized access to OpenStack resources. This can lead to a complete compromise of the OpenStack environment, including data breaches, service disruption, and unauthorized resource consumption. The vulnerability affects all OpenStack deployments using the LDAP identity backend with the default configuration, potentially impacting a large number of organizations across various sectors, including cloud service providers, research institutions, and enterprises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenStack Keystone to version 28.0.1 or later to patch CVE-2026-40683.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, set the \u003ccode\u003euser_enabled_invert\u003c/code\u003e configuration option to \u003ccode\u003eTrue\u003c/code\u003e in the \u003ccode\u003ekeystone.conf\u003c/code\u003e file. This will ensure that the user enabled attribute from LDAP is correctly converted to a boolean.\u003c/li\u003e\n\u003cli\u003eMonitor Keystone logs for suspicious authentication attempts, specifically focusing on users marked as disabled in LDAP, and deploy the Sigma rule \u003ccode\u003eOpenStack Keystone LDAP Authentication Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts based on successful authentications of disabled LDAP users.\u003c/li\u003e\n\u003cli\u003eReview and audit user access controls and permissions within the OpenStack environment to minimize the potential impact of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-17T12:00:00Z","date_published":"2024-05-17T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-keystone-ldap-bypass/","summary":"OpenStack Keystone before 28.0.1 is vulnerable to an authentication bypass due to improper handling of the user enabled attribute in the LDAP identity backend when the user_enabled_invert configuration option is False, leading to disabled users being treated as enabled.","title":"OpenStack Keystone LDAP Authentication Bypass Vulnerability (CVE-2026-40683)","url":"https://feed.craftedsignal.io/briefs/2024-05-keystone-ldap-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Keystone","version":"https://jsonfeed.org/version/1.1"}