openstack team mailing list archive

Thread
Date

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

To: Eric Windisch <eric@xxxxxxxxxxxxxxxx>
From: Michael Still <michael.still@xxxxxxxxxxxxx>
Date: Wed, 08 Aug 2012 10:00:34 +1000
Cc: Thierry Carrez <thierry@xxxxxxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <3E71F19558F641848F890DE86DC0FF50@cloudscaling.com>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0

On 08/08/12 07:38, Eric Windisch wrote:
> 
>> Pádraig Brady from Red Hat discovered that the fix implemented for 
>> CVE-2012-3361 (OSSA-2012-008) was not covering all attack
>> scenarios. By crafting a malicious image with root-readable-only
>> symlinks and requesting a server based on it, an authenticated user
>> could still corrupt arbitrary files (all setups affected) or inject
>> arbitrary files (Essex and later setups with OpenStack API enabled
>> and a libvirt-based hypervisor) on the host filesystem, potentially
>> resulting in full compromise of that compute node.
>> 
> 
> Unfortunately, this won't be the end of vulnerabilities coming from
> this "feature".
> 
> Even if all the edge-cases around safely writing files are handled
> (and I'm not sure they are), simply mounting a filesystem is a very
> dangerous operation for the host.
> 
> The idea had been suggested early-on to supporting ISO9660
> filesystems created with mkisofs, which can be created in userspace,
> are read-only, and fairly safe to produce, even as root on compute
> host.

I am in the process of re-writing the config drive code as we speak. The
re-write supports (and defaults to) providing the config drive as an
iso9660 image.

There are two places that mounting occurs with the new code:

 - if the user wants a vfat config drive, as I couldn't find a way to
create a vfat filesystem from a directory using userspace code. This
should be "relatively safe" though because the filesystem which is
mounted is created by the code just before the mount. [1]

 - if the user specifies an image from glance for the injection to occur
to. This is almost certainly functionality that you're not going to like
for the reasons stated above. Its there because v1 did it, and I'm
willing to remove it if there is a consensus that's the right thing to
do. However, file IO on this image mount is done as the nova user, not
root, so that's a tiny bit safer (I hope).

https://review.openstack.org/#/c/10934/

Mikal

1: I am not a security researcher. I would not play a good one on TV.

Follow ups

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Scott Moser, 2012-08-08
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Pádraig Brady, 2012-08-08
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Eric Windisch, 2012-08-08

References

[OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Thierry Carrez, 2012-08-07
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Eric Windisch, 2012-08-07