openstack team mailing list archive
Mailing list archive
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
> Pádraig Brady from Red Hat discovered that the fix implemented for
> CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By
> crafting a malicious image with root-readable-only symlinks and
> requesting a server based on it, an authenticated user could still
> corrupt arbitrary files (all setups affected) or inject arbitrary files
> (Essex and later setups with OpenStack API enabled and a libvirt-based
> hypervisor) on the host filesystem, potentially resulting in full
> compromise of that compute node.
Unfortunately, this won't be the end of vulnerabilities coming from this "feature".
Even if all the edge-cases around safely writing files are handled (and I'm not sure they are), simply mounting a filesystem is a very dangerous operation for the host.
The idea had been suggested early-on to supporting ISO9660 filesystems created with mkisofs, which can be created in userspace, are read-only, and fairly safe to produce, even as root on compute host.
That idea was apparently shot-down because, "the people who documented/requested the blueprint requested a read-write filesystem that you cannot obtain with ISO9660". Now, everyone has to live with a serious technical blunder.
Per the summit discussion Etherpad:
"injecting files into a guest is a very popular desire."
Popular desires not necessary smart desires. We should remove all file injection post-haste.