CVE-2025-65073 Overview
OpenStack Keystone before version 26.0.1, 27.0.0, and 28.0.0 contains an authorization bypass vulnerability that allows attackers to leverage valid AWS Signatures through the /v3/ec2tokens or /v3/s3tokens endpoints to obtain Keystone authorization. This flaw represents a significant security gap in OpenStack's identity service, potentially allowing unauthorized access to cloud resources.
Critical Impact
Attackers with valid AWS credentials can bypass Keystone authorization controls, potentially gaining unauthorized access to OpenStack cloud infrastructure and resources.
Affected Products
- OpenStack Keystone versions before 26.0.1
- OpenStack Keystone version 27.0.0
- OpenStack Keystone version 28.0.0
Discovery Timeline
- 2025-11-17 - CVE-2025-65073 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-65073
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), which occurs when a software component performs an authorization check that does not correctly prevent access to a resource. In the case of OpenStack Keystone, the identity service improperly handles AWS Signature authentication requests, allowing these external credentials to provide Keystone authorization tokens without proper validation.
The vulnerability specifically affects the EC2 and S3 token authentication endpoints, which are designed to provide compatibility with Amazon Web Services APIs. When a request is made to /v3/ec2tokens or /v3/s3tokens with a valid AWS Signature, Keystone incorrectly grants authorization without performing adequate access control verification.
The network-based attack vector combined with the scope change characteristic means an attacker exploiting this vulnerability could potentially impact resources beyond the vulnerable component's security scope, affecting the confidentiality of protected data and enabling unauthorized modifications to cloud infrastructure.
Root Cause
The root cause of this vulnerability lies in the improper authorization logic within Keystone's EC2 and S3 token authentication middleware. The authentication endpoints fail to properly validate whether the AWS credentials being presented should be permitted to obtain Keystone authorization tokens. This creates a trust boundary violation where external AWS credentials are incorrectly treated as sufficient for internal OpenStack authorization.
Attack Vector
An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable Keystone endpoints. The attack requires network access to the OpenStack Keystone API and possession of valid AWS Signature credentials. The attacker sends a properly formatted request to either /v3/ec2tokens or /v3/s3tokens containing their AWS Signature, and Keystone responds with authorization tokens that grant access to OpenStack resources.
The vulnerability is particularly concerning in multi-cloud environments where AWS credentials may be more readily available or in scenarios where an organization uses both AWS and OpenStack infrastructure. The authorization bypass does not require user interaction and can be executed remotely, though the attack complexity is considered high due to the requirement of valid AWS credentials.
Detection Methods for CVE-2025-65073
Indicators of Compromise
- Unusual authentication requests to /v3/ec2tokens or /v3/s3tokens endpoints from unexpected IP addresses or clients
- Elevated volume of token generation requests through EC2/S3 compatibility endpoints
- Authentication logs showing successful Keystone authorizations that do not correlate with legitimate user activity
- Access to OpenStack resources from entities that should only have AWS credentials
Detection Strategies
- Monitor Keystone authentication logs for anomalous patterns in EC2 and S3 token endpoint usage
- Implement network-level monitoring to detect unusual traffic patterns to Keystone API endpoints
- Deploy SentinelOne Singularity Platform to detect and alert on suspicious authentication behaviors in cloud infrastructure
- Create alerting rules for successful authentications through compatibility endpoints that don't match expected usage patterns
Monitoring Recommendations
- Enable verbose logging on Keystone authentication endpoints, particularly for /v3/ec2tokens and /v3/s3tokens
- Correlate Keystone authentication events with expected user and service account activity
- Monitor for lateral movement following any authorization events through the affected endpoints
- Implement real-time alerting for any new or unexpected usage of EC2/S3 token compatibility features
How to Mitigate CVE-2025-65073
Immediate Actions Required
- Upgrade OpenStack Keystone to patched versions: 26.0.1 or later for the 26.x branch, and patched releases for 27.x and 28.x branches
- Review authentication logs for any suspicious activity through the affected endpoints
- Consider temporarily disabling the EC2 and S3 token endpoints if not required for operations
- Audit all existing tokens issued through the affected endpoints and revoke any suspicious authorizations
Patch Information
OpenStack has addressed this vulnerability in Keystone versions after 26.0.1, 27.0.0, and 28.0.0. Organizations should consult the Openwall OSS Security Update and Openwall OSS Security Notification for detailed patch information and upgrade guidance.
Workarounds
- Disable the EC2 and S3 token authentication endpoints in Keystone configuration if AWS compatibility is not required
- Implement network-level access controls to restrict which clients can reach the /v3/ec2tokens and /v3/s3tokens endpoints
- Deploy additional authentication layers or API gateways to validate requests before they reach Keystone
- Use network segmentation to limit exposure of Keystone API endpoints to trusted networks only
# Keystone configuration to disable EC2/S3 token endpoints (if not needed)
# Edit /etc/keystone/keystone.conf
[ec2]
# Disable EC2 token driver if not required
driver = keystone.contrib.ec2.backends.noop.Ec2
# Alternatively, use firewall rules to block access
# iptables example to restrict access to EC2 tokens endpoint
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/ec2tokens" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/s3tokens" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
