CVE-2020-12692: 
Python vulnerability analysis and mitigation

A vulnerability (CVE-2020-12692) was discovered in OpenStack Keystone versions before 15.0.1 and version 16.0.0. The EC2 API lacked a signature TTL check for AWS Signature V4, allowing an attacker to sniff the Authorization header and reuse it to reissue OpenStack tokens an unlimited number of times (OpenStack Advisory, NVD).

The vulnerability stems from Keystone's failure to validate the timestamp in EC2 token requests. While the signature is checked, the timestamp validation was missing, allowing signed requests to remain valid indefinitely. This affects both AWS Signature v1/v2 'Timestamp' parameter and AWS Signature v4 'X-Aws-Date' header or parameter implementations. The CVSS v3.1 base score is 5.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

An attacker who can intercept the Authorization header can use it to reissue OpenStack tokens repeatedly without any time limitation. However, the attack requires the ability to sniff network traffic, which is typically only possible in a man-in-the-middle (MITM) scenario or when debug logs are exposed (Launchpad Bug).

The issue has been fixed in OpenStack Keystone version 15.0.1 and later releases. The fix introduces a configurable TTL for signed token requests and ensures timestamp validation against it. Patches were provided for multiple branches including Rocky, Stein, Train, Ussuri, and Victoria (OpenStack Advisory).