yahoo-eng-team team mailing list archive

[Adam Gandelman <1221190@xxxxxxxxxxxxxxxxxx>]

** Changed in: nova/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1221190

Title:
  [0SSA 2014-009] Image format not enforced when using rescue
  (CVE-2014-0134)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Rescuing an instance seems to guess the image format at some point.
  This allows reading files from the compute host via the qcow2 backing
  file.

  Requirements:
  - instances spawned using libvirt
  - use_cow_images = False in the config

  To reproduce:
  1. Create a qcow2 file backed by the path you want to read from the compute host. (qemu-img create -f qcow2 -b /path/to/the/file $((1024*1024)) evil.qcow2)
  2. Spawn an instance, scp the file into it.
  3. Overwrite the disk inside the instance (dd if=evil.qcow2 of=/dev/vda)
  4. Shutdown the instance.
  5. Rescue the instance
  6. While in rescue mode, login and read /dev/vdb - beginning should be read from the qcow backing file

  Libvirt description of the rescued instance will contain the entry for
  the second disk with attribute type="qcow2", even though it should be
  "raw" - same as the original instance.

  Mitigating factors:
  - files have to be readable by libvirt/kvm
  - apparmor/selinux will limit the number of accessible files
  - only full blocks of the file are visible in the rescued instance, so short files will not be available at all and long files are going to be truncated

  Possible targets:
  - private snapshots with known uuids, or instances of other tenants are a good target for this attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1221190/+subscriptions