<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Keystone - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/keystone/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/keystone/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenStack Keystone LDAP Authentication Bypass Vulnerability (CVE-2026-40683)</title><link>https://feed.craftedsignal.io/briefs/2024-05-keystone-ldap-bypass/</link><pubDate>Fri, 17 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-keystone-ldap-bypass/</guid><description>OpenStack Keystone before 28.0.1 is vulnerable to an authentication bypass due to improper handling of the user enabled attribute in the LDAP identity backend when the user_enabled_invert configuration option is False, leading to disabled users being treated as enabled.</description><content:encoded><![CDATA[<p>OpenStack Keystone, a core service providing identity, token, catalog, and policy services in OpenStack clouds, contains an authentication bypass vulnerability (CVE-2026-40683) in versions prior to 28.0.1. The vulnerability lies within the LDAP identity backend, specifically in how it processes the user enabled attribute retrieved from the LDAP server. When the <code>user_enabled_invert</code> configuration option is set to False (the default configuration), the <code>_ldap_res_to_model</code> method in the <code>UserApi</code> class fails to correctly convert the LDAP attribute to a boolean value. This flaw causes users marked as disabled in LDAP to be incorrectly treated as enabled within Keystone, granting them unauthorized access and the ability to perform actions within the OpenStack environment. All deployments using the LDAP identity backend without <code>user_enabled_invert=True</code> or <code>user_enabled_emulation</code> are susceptible.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an OpenStack deployment using Keystone with LDAP authentication and the default <code>user_enabled_invert=False</code> configuration.</li>
<li>The attacker obtains credentials for a user that is marked as disabled within the LDAP directory.</li>
<li>The attacker attempts to authenticate to Keystone using the disabled user's credentials via the standard authentication API endpoint (<code>/v3/auth/tokens</code>).</li>
<li>Keystone's LDAP backend retrieves the <code>user_enabled</code> attribute for the user from the LDAP server.</li>
<li>Due to the vulnerability, Keystone incorrectly interprets the &quot;FALSE&quot; string value from LDAP as a truthy value in Python, effectively treating the disabled user as enabled.</li>
<li>Keystone generates an authentication token for the user.</li>
<li>The attacker uses the authentication token to access other OpenStack services and resources, bypassing the intended access controls.</li>
<li>The attacker performs unauthorized actions within the OpenStack environment, such as creating instances, accessing data, or modifying configurations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40683 allows attackers to bypass authentication controls and gain unauthorized access to OpenStack resources. This can lead to a complete compromise of the OpenStack environment, including data breaches, service disruption, and unauthorized resource consumption. The vulnerability affects all OpenStack deployments using the LDAP identity backend with the default configuration, potentially impacting a large number of organizations across various sectors, including cloud service providers, research institutions, and enterprises.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenStack Keystone to version 28.0.1 or later to patch CVE-2026-40683.</li>
<li>As a temporary workaround, set the <code>user_enabled_invert</code> configuration option to <code>True</code> in the <code>keystone.conf</code> file. This will ensure that the user enabled attribute from LDAP is correctly converted to a boolean.</li>
<li>Monitor Keystone logs for suspicious authentication attempts, specifically focusing on users marked as disabled in LDAP, and deploy the Sigma rule <code>OpenStack Keystone LDAP Authentication Bypass Attempt</code> to identify potential exploitation attempts based on successful authentications of disabled LDAP users.</li>
<li>Review and audit user access controls and permissions within the OpenStack environment to minimize the potential impact of unauthorized access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>openstack</category><category>keystone</category><category>ldap</category><category>authentication-bypass</category></item></channel></rss>