oslo-incubator

ZMQ ipc socket file is created using un-sanitized network input

Bug #1122763 reported by Erica Windisch
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo-incubator
Fix Released
Medium
Erica Windisch
oslo-incubator grizzly-rc1 "RC1"
Grizzly
Fix Released
Medium
Erica Windisch
oslo-incubator 2013.1 "grizzly"

Bug Description

The following code in impl_zmq.py uses untrusted input 'topic' which is received over the network without any sanitization to create a file on the local filesystem:

                     out_sock = ZmqSocket("ipc://%s/zmq_topic_%s" %
                                          (ipc_dir, topic),
                                          sock_type, bind=True)

Tags: security
Revision history for this message
Erica Windisch (ewindisch) wrote :
Revision history for this message
Thierry Carrez (ttx) wrote :

Trying to assess impact, need your expertise to confirm:

This requires access to the "internal" network, right ? In which case I'd fix it (and backport it) without an advisory since in the current Nova setup, the internal network is still considered somewhat privileged (think absence of encryption/signature) and the impact here is limited (file is created with limited rights ? content is not controlled ?), so it's hardly directly exploitable ?

Revision history for this message
Thierry Carrez (ttx) wrote :

Adding PTL

Revision history for this message
Thierry Carrez (ttx) wrote :

Adding current PTL too :)

Thierry Carrez (ttx)
Changed in oslo:
status: New → Incomplete
importance: Undecided → Medium
Revision history for this message
Erica Windisch (ewindisch) wrote :

Thierry, I believe you're correct on all points. This requires access to whatever network RPC messaging is done over. You are also correct that this is done with limited privileges. An attacker would not be able to write any arbitrary data to any other files, they'd only be able to create unix sockets anywhere on the system that the non-privileged user in question might be able to write to.

I agree that the relative risk is quite low, compared to how it may be were this privileged code. I'm not opposed to making this public.

Note, this could also be used as a denial of service attack to prevent a host from consuming specific messages, although this same method has at least one other DoS bug that would need to be worked out, if we considered such a concern of sufficient importance to embargo this bug. As you stated, Thierry, this network is considered at least somewhat privileged already.

Revision history for this message
Thierry Carrez (ttx) wrote :

Agreed. It would be a different story if we were claiming the MQ can be run over an untrusted network, but this is not (yet) the case ;) It should definitely be fixed, though, and I'd like this to be backported as well...

Feel free to push the patch publicly. I'll open this bug.

information type: Private Security → Public
tags: added: security
Changed in oslo:
status: Incomplete → Triaged
OpenStack Infra (hudson-openstack)
Changed in oslo:
assignee: nobody → Eric Windisch (ewindisch)
status: Triaged → In Progress
Mark McLoughlin (markmc)
Changed in oslo:
milestone: none → grizzly-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo-incubator (master)

Reviewed: https://review.openstack.org/24229
Committed: http://github.com/openstack/oslo-incubator/commit/40640215468b1fe7f7b17c299c658e94f82e7d70
Submitter: Jenkins
Branch: master

commit 40640215468b1fe7f7b17c299c658e94f82e7d70
Author: Eric Windisch <email address hidden>
Date: Tue Feb 12 01:13:17 2013 -0500

    Sanitize input before creating IPC socket.

    Sockets are created by the zeromq driver
    for the topic specified by each incoming message.

    Because the topic is arbitrarily supplied by the sender,
    path separators in the topic must be illegal.

    Fixes bug 1122763

    Change-Id: Iccdb9b69e646bfe7665ee34c367fd4019db25f17

Changed in oslo:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in oslo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.