CVE-2025-65073
📋 TL;DR
OpenStack Keystone versions before 26.0.1, 27.0.0, and 28.0.0 contain an authorization bypass vulnerability where AWS Signature authentication can grant Keystone authorization without proper validation. This affects OpenStack deployments using Keystone for identity services, potentially allowing unauthorized access to cloud resources.
💻 Affected Systems
- OpenStack Keystone
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with valid AWS credentials could gain unauthorized administrative access to OpenStack cloud resources, leading to data exfiltration, service disruption, or complete cloud infrastructure compromise.
Likely Case
Attackers with compromised AWS credentials could access OpenStack resources they shouldn't have permission to, potentially escalating privileges within the cloud environment.
If Mitigated
With proper network segmentation and access controls, impact would be limited to specific services, though unauthorized access to authorized resources could still occur.
🎯 Exploit Status
Exploitation requires valid AWS credentials but no additional Keystone authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.0.1, 27.0.0, or 28.0.0
Vendor Advisory: https://www.openwall.com/lists/oss-security/2025/11/04/2
Restart Required: Yes
Instructions:
1. Upgrade Keystone to version 26.0.1, 27.0.0, or 28.0.0. 2. Restart Keystone services. 3. Verify the fix by testing AWS signature authentication.
🔧 Temporary Workarounds
Disable EC2/S3 token endpoints
linuxTemporarily disable vulnerable endpoints until patching is complete
# Configure Keystone to disable /v3/ec2tokens and /v3/s3tokens endpoints
# Edit keystone.conf and remove or comment out relevant endpoint configurations
Network access control
linuxRestrict access to Keystone EC2/S3 token endpoints using firewall rules
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/ec2tokens" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/s3tokens" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Keystone services from untrusted networks
- Monitor and alert on all authentication attempts to EC2/S3 token endpoints
🔍 How to Verify
Check if Vulnerable:
Check Keystone version: keystone-manage --version. If version is before 26.0.1, 27.0.0, or 28.0.0, system is vulnerable.Check Version:
keystone-manage --versionVerify Fix Applied:
After upgrade, verify version is 26.0.1, 27.0.0, or 28.0.0 and test that AWS signature authentication now properly validates Keystone authorization.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns to /v3/ec2tokens or /v3/s3tokens endpoints
- Successful authentication from unexpected AWS accounts
Network Indicators:
- HTTP POST requests to /v3/ec2tokens or /v3/s3tokens with AWS signature headers
SIEM Query:
source="keystone" AND (uri_path="/v3/ec2tokens" OR uri_path="/v3/s3tokens") AND http_method="POST"