yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20555
[Bug 1365712] Re: Command Execution Possible Through Config File Tampering
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1365712
Title:
Command Execution Possible Through Config File Tampering
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
The OpenStack Security Group has been reviewing OpenStack code to find potential security vulnerabilities.
One class of these vulnerabilities is to allow someone with write access to nova.conf to cause code to be executed as the OpenStack user.
Some details are here:
https://review.openstack.org/#/c/118910/
More tracking information is here:
https://bugs.launchpad.net/nova/+bug/1192971
This bug is specifically to address the possible vulnerability at
nova/nova/virt/baremetal/ipmi.py:292
If a user has write access to nova.conf, he can set
[baremetal]
terminal = /bin/foo
and cause /bin/foo to be executed.
If a user has write access to nova.conf, he case set
[baremetal]
terminal_cert_dir = "; cat /etc/passwd"
and cause the password file to be written to stdout.
Some input validation would help correct this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1365712/+subscriptions