neutron

Network/Image names allows terminal escape sequence

Bug #1486565 reported by Tristan Cacqueray
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Opinion
Low
Unassigned
OpenStack Compute (nova)
Opinion
Low
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Won't Fix
Undecided
Unassigned

Bug Description

This allows a malicious user to create network that will mess with administrator terminal when they list network.

Steps to reproduces:

As a user: neutron net-create $(echo -e "\E[37mhidden\x1b[f")

As an admin: neutron net-list

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
Jeremy Stanley (fungi) wrote :

This sort of falls into the same category as embedded HTML in object names. You could argue that the server should refuse to create them without escaping, or that the client should escape them when displaying, or both. It's also not a guaranteed exploit (for example, it completely fails in my terminal, and would in many others).

I feel like this would be best mitigated by neutering ANSI escape sequences in non-presentation-layer elements of all our client tools (probably by just refusing to pass raw 0x1b). However, it also seems like a security hardening opportunity since exploiting it would depend on the capabilities of the terminal in use by the victim and would be readily obvious to the victim in most cases even if it did succeed.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Turns out Glance image names also have this issue.

I agree to class D since it mostly results in annoying outputs and without another bug (e.g., in terminal emulator) it's not OSSA/CVE worthy.

It seems like something that can easily be fixed at client level by escaping any raw 0x1b bytes.

If no one objects, I'd like to open this bug next week.

summary: - Network names allows terminal escape sequence
+ Network/Image names allows terminal escape sequence
Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: Incomplete → Won't Fix
information type: Private Security → Public
description: updated
Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

I'd argue if there is no valid use case for allowing them the server should refuse to accept this as input (the server should perform input validation) and/or sanitize the input before storing it.

Revision history for this message
Aaron Rosen (arosen) wrote :

Just curious, nova doesn't have this same issue? Do they handle this in the client or the server?

Revision history for this message
Gary Kotton (garyk) wrote :

 nova boot --image e2f1e48a-b9f5-41f2-8b9e-d0833c945ef7 --flavor 1 --nic net-id=30d01de4-328d-4cd4-9ec0-1e6cba1cb3f4 $(echo -e "\E[37mhidden\x1b[f")

Revision history for this message
Cedric Brandily (cbrandily) wrote :

imo, it affects neutronclient not neutron itself

tags: added: needs-attention
Revision history for this message
Sean Dague (sdague) wrote :

Nova is an API server, it's fine to put whatever into these fields. Should the clients scrub this, probably.

Changed in nova:
status: New → Opinion
importance: Undecided → Low
Ching Sun (ching-sun)
Changed in neutron:
status: New → In Progress
assignee: nobody → Ching Sun (ching-sun)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/305756

Changed in neutron:
assignee: Ching Sun (ching-sun) → Adit Sarfaty (asarfaty)
Revision history for this message
Adit Sarfaty (asarfaty) wrote :

imo this is not (only) a neutron client issue, and should be fixed in the neutron attributes code, where the rest of the validations are done.
This may be an issue also when you access the service without using the client.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306809

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Adit Sarfaty (<email address hidden>) on branch: master
Review: https://review.openstack.org/305756
Reason: neutron-lib is now used for the validations, and this patch was added there too.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (master)

Change abandoned by Adit Sarfaty (<email address hidden>) on branch: master
Review: https://review.openstack.org/306809

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: Adit Sarfaty (asarfaty) → nobody
status: In Progress → Incomplete
Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: needs-attention
Brian Rosmaita (brian-rosmaita)
Changed in glance:
status: New → Opinion
importance: Undecided → Low
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.