Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65073

CVE-2025-65073: OpenStack Keystone Auth Bypass Flaw

CVE-2025-65073 is an authentication bypass vulnerability in OpenStack Keystone that allows unauthorized access via valid AWS Signatures. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-65073 Overview

OpenStack Keystone before version 26.0.1, 27.0.0, and 28.0.0 contains an authorization bypass vulnerability that allows attackers to leverage valid AWS Signatures through the /v3/ec2tokens or /v3/s3tokens endpoints to obtain Keystone authorization. This flaw represents a significant security gap in OpenStack's identity service, potentially allowing unauthorized access to cloud resources.

Critical Impact

Attackers with valid AWS credentials can bypass Keystone authorization controls, potentially gaining unauthorized access to OpenStack cloud infrastructure and resources.

Affected Products

  • OpenStack Keystone versions before 26.0.1
  • OpenStack Keystone version 27.0.0
  • OpenStack Keystone version 28.0.0

Discovery Timeline

  • 2025-11-17 - CVE-2025-65073 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-65073

Vulnerability Analysis

This vulnerability is classified as CWE-863 (Incorrect Authorization), which occurs when a software component performs an authorization check that does not correctly prevent access to a resource. In the case of OpenStack Keystone, the identity service improperly handles AWS Signature authentication requests, allowing these external credentials to provide Keystone authorization tokens without proper validation.

The vulnerability specifically affects the EC2 and S3 token authentication endpoints, which are designed to provide compatibility with Amazon Web Services APIs. When a request is made to /v3/ec2tokens or /v3/s3tokens with a valid AWS Signature, Keystone incorrectly grants authorization without performing adequate access control verification.

The network-based attack vector combined with the scope change characteristic means an attacker exploiting this vulnerability could potentially impact resources beyond the vulnerable component's security scope, affecting the confidentiality of protected data and enabling unauthorized modifications to cloud infrastructure.

Root Cause

The root cause of this vulnerability lies in the improper authorization logic within Keystone's EC2 and S3 token authentication middleware. The authentication endpoints fail to properly validate whether the AWS credentials being presented should be permitted to obtain Keystone authorization tokens. This creates a trust boundary violation where external AWS credentials are incorrectly treated as sufficient for internal OpenStack authorization.

Attack Vector

An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable Keystone endpoints. The attack requires network access to the OpenStack Keystone API and possession of valid AWS Signature credentials. The attacker sends a properly formatted request to either /v3/ec2tokens or /v3/s3tokens containing their AWS Signature, and Keystone responds with authorization tokens that grant access to OpenStack resources.

The vulnerability is particularly concerning in multi-cloud environments where AWS credentials may be more readily available or in scenarios where an organization uses both AWS and OpenStack infrastructure. The authorization bypass does not require user interaction and can be executed remotely, though the attack complexity is considered high due to the requirement of valid AWS credentials.

Detection Methods for CVE-2025-65073

Indicators of Compromise

  • Unusual authentication requests to /v3/ec2tokens or /v3/s3tokens endpoints from unexpected IP addresses or clients
  • Elevated volume of token generation requests through EC2/S3 compatibility endpoints
  • Authentication logs showing successful Keystone authorizations that do not correlate with legitimate user activity
  • Access to OpenStack resources from entities that should only have AWS credentials

Detection Strategies

  • Monitor Keystone authentication logs for anomalous patterns in EC2 and S3 token endpoint usage
  • Implement network-level monitoring to detect unusual traffic patterns to Keystone API endpoints
  • Deploy SentinelOne Singularity Platform to detect and alert on suspicious authentication behaviors in cloud infrastructure
  • Create alerting rules for successful authentications through compatibility endpoints that don't match expected usage patterns

Monitoring Recommendations

  • Enable verbose logging on Keystone authentication endpoints, particularly for /v3/ec2tokens and /v3/s3tokens
  • Correlate Keystone authentication events with expected user and service account activity
  • Monitor for lateral movement following any authorization events through the affected endpoints
  • Implement real-time alerting for any new or unexpected usage of EC2/S3 token compatibility features

How to Mitigate CVE-2025-65073

Immediate Actions Required

  • Upgrade OpenStack Keystone to patched versions: 26.0.1 or later for the 26.x branch, and patched releases for 27.x and 28.x branches
  • Review authentication logs for any suspicious activity through the affected endpoints
  • Consider temporarily disabling the EC2 and S3 token endpoints if not required for operations
  • Audit all existing tokens issued through the affected endpoints and revoke any suspicious authorizations

Patch Information

OpenStack has addressed this vulnerability in Keystone versions after 26.0.1, 27.0.0, and 28.0.0. Organizations should consult the Openwall OSS Security Update and Openwall OSS Security Notification for detailed patch information and upgrade guidance.

Workarounds

  • Disable the EC2 and S3 token authentication endpoints in Keystone configuration if AWS compatibility is not required
  • Implement network-level access controls to restrict which clients can reach the /v3/ec2tokens and /v3/s3tokens endpoints
  • Deploy additional authentication layers or API gateways to validate requests before they reach Keystone
  • Use network segmentation to limit exposure of Keystone API endpoints to trusted networks only
bash
# Keystone configuration to disable EC2/S3 token endpoints (if not needed)
# Edit /etc/keystone/keystone.conf

[ec2]
# Disable EC2 token driver if not required
driver = keystone.contrib.ec2.backends.noop.Ec2

# Alternatively, use firewall rules to block access
# iptables example to restrict access to EC2 tokens endpoint
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/ec2tokens" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 5000 -m string --string "/v3/s3tokens" --algo bm -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.