CVE-2021-38155
📋 TL;DR
This vulnerability in OpenStack Keystone allows unauthenticated attackers to confirm account existence and obtain account UUIDs through failed authentication attempts when account locking is enabled. Any deployment with security_compliance.lockout_failure_attempts configured is affected. This information disclosure could facilitate further attacks against identified accounts.
💻 Affected Systems
- OpenStack Keystone
📦 What is this software?
Keystone by Openstack
Keystone by Openstack
Keystone by Openstack
Keystone by Openstack
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all valid user accounts, obtain their UUIDs, and use this information for targeted attacks, privilege escalation, or account takeover attempts.
Likely Case
Attackers confirm existence of specific accounts and obtain UUIDs, enabling reconnaissance for future attacks or correlating with other vulnerabilities.
If Mitigated
With proper network controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires guessing account names and observing different error responses between existing and non-existing accounts during failed authentication attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.2, 17.0.1, 18.0.1, or 19.0.1
Vendor Advisory: https://security.openstack.org/ossa/OSSA-2021-003.html
Restart Required: Yes
Instructions:
1. Upgrade Keystone to patched version (16.0.2, 17.0.1, 18.0.1, or 19.0.1 depending on your branch). 2. Restart Keystone services. 3. Verify the fix by checking version and testing authentication behavior.
🔧 Temporary Workarounds
Disable account lockout feature
linuxTemporarily disable the security_compliance.lockout_failure_attempts setting to prevent exploitation
Edit keystone.conf: security_compliance.lockout_failure_attempts = 0
Restart keystone services
Implement rate limiting at network layer
allUse web application firewall or load balancer to limit authentication attempts per IP
🧯 If You Can't Patch
- Disable security_compliance.lockout_failure_attempts in keystone.conf
- Implement network-level rate limiting and monitoring for authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if security_compliance.lockout_failure_attempts > 0 in keystone.conf and Keystone version is in affected rangeCheck Version:
keystone-manage --versionVerify Fix Applied:
Verify Keystone version is 16.0.2, 17.0.1, 18.0.1, or 19.0.1 or higher, and test that failed authentication returns consistent error messages📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts for same username from single source
- Authentication failures followed by account lockout events
Network Indicators:
- High volume of POST requests to /v3/auth/tokens endpoint
- Pattern of authentication attempts with varying usernames
SIEM Query:
source="keystone" AND ("authentication failed" OR "Invalid credentials") | stats count by src_ip, user🔗 References
- http://www.openwall.com/lists/oss-security/2021/08/10/5
- https://launchpad.net/bugs/1688137
- https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
- https://security.openstack.org/ossa/OSSA-2021-003.html
- http://www.openwall.com/lists/oss-security/2021/08/10/5
- https://launchpad.net/bugs/1688137
- https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html
- https://security.openstack.org/ossa/OSSA-2021-003.html
