Command execution cases need to be strengthened
Bug #1192971 reported by
Thierry Carrez
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Wishlist
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Grant Murphy from Red Hat Product Security Team reports the following potential vulnerability:
For the most part OpenStack seems to do command execution safely using subprocess.Popen. There are two instances where things become a little dubious. The first is when shell=True is used with subprocess. This doesn't prevent arguments being supplied that allow for multiple commands to be executed. e.g. '; cat /etc/passwd'. The second case is where commands are made to an external ssh host.
See attached file for a lit of potential injections: we should double-check them (even if I expect most of them to turn false positive)
Changed in nova: | |
assignee: | nobody → Lance Bragstad (ldbragst) |
status: | Confirmed → In Progress |
Changed in cinder: | |
assignee: | nobody → Haomai Wang (haomai) |
status: | Confirmed → In Progress |
Changed in cinder: | |
status: | Fix Committed → In Progress |
Changed in nova: | |
status: | In Progress → Confirmed |
assignee: | Lance Bragstad (lbragstad) → nobody |
Changed in cinder: | |
status: | Triaged → Fix Released |
To post a comment you must log in.
Looking into the Nova reported cases, there are 3 cases which may be exploitable:
nova/virt/ powervm/ blockdev. py command_ as_root( ) pass numerous unchecked commands to processutils. ssh_execute which in turn calls paramiko's exec_command which just interprets shell commands.
run_vios_command() and run_vios_
nova/virt/ powervm/ common. py as_root( ) also pushes various unchecked commands to a paramiko ssh channel.
ssh_command_
plugins/ xenserver/ xenapi/ etc/xapi. d/plugins/ xenhost:
uses a _run_command() utility that calls subprocess.Popen with shell=True.
We need to further look into those commands to see if any of those parameters end up being attacker- controllable. Other cases mentioned in the report in Nova look invalid (shell=False and no SSH connection).