CVE-2014-0167 in Computeinfo

Summary

by MITRE

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/10/2026

The vulnerability identified as CVE-2014-0167 represents a critical access control weakness within the OpenStack Compute service known as Nova. This flaw specifically affects the EC2 API security group implementation and exists in Nova versions released between 2013.1 and 2013.2.3, as well as in the icehouse release candidate versions prior to icehouse-rc2. The vulnerability stems from insufficient enforcement of Role-Based Access Control (RBAC) policies within the compute/api.py file, creating a pathway for authenticated attackers to escalate their privileges through manipulation of security group operations.

The technical implementation flaw manifests in the failure to properly validate user permissions when executing specific security group management operations. Attackers can exploit this weakness by making API requests to methods such as add_rules, remove_rules, and destroy functions without proper authorization checks being enforced. This occurs specifically when non-default policies are in use, suggesting that the vulnerability is not present when default security configurations are maintained. The flaw operates at the application layer where the Nova service processes API calls, allowing malicious actors with legitimate credentials to bypass intended access controls and perform unauthorized security group modifications.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security model of OpenStack Compute environments. When exploited, authenticated users can manipulate network security policies, potentially allowing them to open unauthorized ports, remove security restrictions, or destroy critical security group configurations. This capability enables attackers to move laterally within cloud environments, access protected resources, and compromise the overall security posture of the infrastructure. The vulnerability affects cloud deployments where multiple users share the same compute environment, as it allows one authenticated user to potentially affect security configurations that impact other users or system components.

Organizations affected by this vulnerability should immediately implement the recommended security patches that address the RBAC enforcement issues in Nova's compute/api.py implementation. The mitigation strategy involves upgrading to Nova versions 2013.2.4 or later, or icehouse-rc2 and subsequent releases where the security group access controls have been properly enforced. Additionally, administrators should review and audit existing security group configurations to identify any unauthorized changes that may have occurred during the vulnerability window. Security monitoring should be enhanced to detect unusual security group modification patterns, and network segmentation strategies should be reviewed to limit the potential impact of privilege escalation. This vulnerability aligns with CWE-284, which describes inadequate access control, and represents a specific instance of the broader ATT&CK technique T1078 for valid accounts and privilege escalation. Organizations should also consider implementing additional monitoring controls to detect API calls that modify security group configurations, as these operations represent high-value targets for attackers seeking to expand their access within cloud environments.

Reservation

12/03/2013

Disclosure

04/15/2014

Moderation

accepted

Entry

VDB-69335

CPE

ready

EPSS

0.01647

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!