A critical vulnerability exists in OpenStack keystonemiddleware that allows an authenticated attacker to escalate their privileges. By sending specially crafted network requests, an attacker can impersonate other users, including administrators, potentially leading to a complete compromise of the OpenStack cloud environment. This could result in unauthorized data access, service disruption, and full administrative control over the affected systems.

The vulnerability resides in the external_oauth2_token middleware component, which is responsible for handling OAuth 2.0 authentication. The component fails to properly sanitize or remove identity-related HTTP headers from incoming requests before processing them. An attacker who has already authenticated to the system can exploit this by injecting forged headers such as X-Is-Admin-Project, X-Roles, or X-User-Id into their request. The middleware incorrectly trusts these headers, granting the attacker the privileges or identity specified, leading to privilege escalation or user impersonation.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation could lead to a complete compromise of the OpenStack environment's confidentiality, integrity, and availability. An attacker could gain administrative privileges, allowing them to access, modify, or delete all data and configurations within the cloud, provision or destroy virtual resources, and potentially pivot to other connected systems within the organization's network. The financial and reputational damage from such a breach could be severe, including data loss, regulatory fines, and loss of customer trust.

Immediate Action: Update An issue was discovered in OpenStack keystonemiddleware Multiple Products to the latest version. Monitor for exploitation attempts and review access logs. Specifically, organizations should upgrade to version 10.7.2, 10.9.1, 10.12.1, or a later patched version as soon as possible.

Proactive Monitoring: Security teams should actively monitor access logs for API requests that contain the headers X-Is-Admin-Project, X-Roles, or X-User-Id. Investigate any instances where these headers appear in requests originating from users or systems that should not be setting them. Additionally, monitor for anomalous administrative activities, such as resource creation or permission changes initiated by accounts that are not designated administrators.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) or a reverse proxy to inspect all incoming traffic to the affected middleware endpoints. Configure rules to strip or block any requests containing the malicious headers (X-Is-Admin-Project, X-Roles, X-User-Id) before they reach the OpenStack services. Restricting network access to the affected endpoints to only trusted sources can also reduce the attack surface.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for a complete system compromise, this vulnerability poses a severe risk to the organization. We strongly recommend that the required security updates be applied with the highest priority. Although this CVE is not currently listed on the CISA KEV catalog, its critical impact warrants immediate attention and remediation to prevent potential exploitation.