← Back to team overview

openstack team mailing list archive

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

 

On 08/08/12 07:38, Eric Windisch wrote:
> 
>> Pádraig Brady from Red Hat discovered that the fix implemented for 
>> CVE-2012-3361 (OSSA-2012-008) was not covering all attack
>> scenarios. By crafting a malicious image with root-readable-only
>> symlinks and requesting a server based on it, an authenticated user
>> could still corrupt arbitrary files (all setups affected) or inject
>> arbitrary files (Essex and later setups with OpenStack API enabled
>> and a libvirt-based hypervisor) on the host filesystem, potentially
>> resulting in full compromise of that compute node.
>> 
> 
> Unfortunately, this won't be the end of vulnerabilities coming from
> this "feature".
> 
> Even if all the edge-cases around safely writing files are handled
> (and I'm not sure they are), simply mounting a filesystem is a very
> dangerous operation for the host.
> 
> The idea had been suggested early-on to supporting ISO9660
> filesystems created with mkisofs, which can be created in userspace,
> are read-only, and fairly safe to produce, even as root on compute
> host.

I am in the process of re-writing the config drive code as we speak. The
re-write supports (and defaults to) providing the config drive as an
iso9660 image.

There are two places that mounting occurs with the new code:

 - if the user wants a vfat config drive, as I couldn't find a way to
create a vfat filesystem from a directory using userspace code. This
should be "relatively safe" though because the filesystem which is
mounted is created by the code just before the mount. [1]

 - if the user specifies an image from glance for the injection to occur
to. This is almost certainly functionality that you're not going to like
for the reasons stated above. Its there because v1 did it, and I'm
willing to remove it if there is a consensus that's the right thing to
do. However, file IO on this image mount is done as the nova user, not
root, so that's a tiny bit safer (I hope).

https://review.openstack.org/#/c/10934/

Mikal

1: I am not a security researcher. I would not play a good one on TV.


Follow ups

References