cloud-init

security scan reported Join and relpath path traversal in latest cloud-init code

Bug #1848291 reported by Kumar Biplab
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Invalid
Undecided
Unassigned

Bug Description

There are many occurrences where security scan reported join and relpath path traversal in the latest cloud init code.
It could be potential threat , as an attacker might be able to read/write/modify file/directory.

There are over 350 occurrences and I am adding few of the occurrences.
1. cloudinit\cmd\devel\logs.py at line 99
os.path.join(tmp_dir, log_dir)

2. cloudinit\cmd\main.py at line 649
os.path.relpath(status_path, link_d)

3. cloudinit\cmd\main.py at line 683
os.path.relpath(result_path, link_d)

4. cloudinit\util.py at line 1910
os.path.join(tmpd, basename)

5. cloudinit\net\eni.py at line 172
os.path.join(expanded_path, path)

Here is the link where it mentioned how an attacker can access files and inject malicious code if not used properly.
https://security.openstack.org/guidelines/dg_using-file-paths.html

Revision history for this message
Ryan Harper (raharper) wrote :

Thanks for taking the time to help make cloud-init more secure.
Based on our analysis (see below) of the the issue we do not
believe this is a security issue. We will mark this bug as public.
If you have any further questions or clarification feel free to follow up here.

--
The security issue is concerned with users providing a
component of path to a file or resource.

1) cloudinit\cmd\devel\logs.py

In this case, the path construction is a temp dir in /tmp
and a date-formatted directory in the form of 'cloud-init-logs-<date>'
and the user does not have direct control over this path construction.

2) cloudinit\cmd\main.py:649

The path construction here is relpath symlink created in /run/cloud-init
to point to the status json file, /var/lib/cloud/data/status.json. Both
the the /run/cloud-init and the path to the status.json are hard-coded value to which the user does not control via command line.

3) cloudinit\cmd\main.py:683

This is the same as (2) but uses a different basename, 'result.json'.

4) cloudinit/util.py:subp_blob_in_tempfile()

This function accepts a keyword argument, 'basename' which is prefixed
to temporary filename created in /run/cloud-init/tmp/ used to run
scripts on-behalf of the user who provided the configuration to the
cloud-init chef module. The user can control the constructed path by
specifying relative values. In this case, this use would allow
local users to write to arbitrary paths, though it would be restricted
by permissions of the invoking user.

5) cloudinit/net/eni.py:_parse_deb_config_data()

This function constructs paths to additional include files that are
read and parsed for valid /etc/network/interfaces network config.
Users could specify sensitive paths other than expected but would be
restricted to reading files they are allowed to read already.

Ryan Harper (raharper)
Changed in cloud-init:
status: New → Invalid
Joshua Powers (powersj)
information type: Private Security → Public
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3469

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.