openstack team mailing list archive

[Eric Windisch <eric@xxxxxxxxxxxxxxxx>]

> Pádraig Brady from Red Hat discovered that the fix implemented for
> CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By
> crafting a malicious image with root-readable-only symlinks and
> requesting a server based on it, an authenticated user could still
> corrupt arbitrary files (all setups affected) or inject arbitrary files
> (Essex and later setups with OpenStack API enabled and a libvirt-based
> hypervisor) on the host filesystem, potentially resulting in full
> compromise of that compute node.
>  

Unfortunately, this won't be the end of vulnerabilities coming from this "feature".

Even if all the edge-cases around safely writing files are handled (and I'm not sure they are), simply mounting a filesystem is a very dangerous operation for the host.

The idea had been suggested early-on to supporting ISO9660 filesystems created with mkisofs, which can be created in userspace, are read-only, and fairly safe to produce, even as root on compute host.

That idea was apparently shot-down because, "the people who documented/requested the blueprint requested a read-write filesystem that you cannot obtain with ISO9660".  Now, everyone has to live with a serious technical blunder.

Per the summit discussion Etherpad:
 "injecting files into a guest is a very popular desire."

Popular desires not necessary smart desires. We should remove all file injection post-haste.

Regards,
Eric Windisch