openstack team mailing list archive

[Pádraig Brady <P@xxxxxxxxxxxxxx>]

On 08/07/2012 10:38 PM, Eric Windisch wrote:
> 
>> Pádraig Brady from Red Hat discovered that the fix implemented for
>> CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By
>> crafting a malicious image with root-readable-only symlinks and
>> requesting a server based on it, an authenticated user could still
>> corrupt arbitrary files (all setups affected) or inject arbitrary files
>> (Essex and later setups with OpenStack API enabled and a libvirt-based
>> hypervisor) on the host filesystem, potentially resulting in full
>> compromise of that compute node.
>>  
> 
> Unfortunately, this won't be the end of vulnerabilities coming from this "feature".
> 
> Even if all the edge-cases around safely writing files are handled (and I'm not sure they are), simply mounting a filesystem is a very dangerous operation for the host.
> 
> The idea had been suggested early-on to supporting ISO9660 filesystems created with mkisofs, which can be created in userspace, are read-only, and fairly safe to produce, even as root on compute host.
> 
> That idea was apparently shot-down because, "the people who documented/requested the blueprint requested a read-write filesystem that you cannot obtain with ISO9660".  Now, everyone has to live with a serious technical blunder.
> 
> Per the summit discussion Etherpad:
>  "injecting files into a guest is a very popular desire."
> 
> Popular desires not necessary smart desires. We should remove all file injection post-haste.

You can configure injection out depending on your requirements.
Also notice that libguestfs is supported as an injection mechanism
which mounts images in a separate VM, with one of the big advantages
of that being better security.

cheers,
Pádraig.