Canonical Juju

Arbitrary file reading vulnerability

Bug #1999622 reported by yhy on 2022-12-14

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	Critical	Harry Pidcock	Canonical Juju 2.9.38

Bug Description

When I learned codeql, I found that there was a potential loophole in juju. When the authentication passed, I downloaded the backup file. I could control the id value to any file location, and then download the file through download().

The version affected by the vulnerability is the latest version 3.0 and below(juju<=latest version)
Please see the attachment for details.

Tags:

CVE References

2023-0092

Revision history for this message

yhy (yhy0) wrote on 2022-12-14:

juju.pdf Edit (648.8 KiB, application/pdf)

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-12-15:

Thank you for raising this issue.

Changed in juju:
milestone:	none → 2.9.38
status:	New → Confirmed
importance:	Undecided → Critical

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2022-12-15:

Tracking @ https://github.com/juju/juju/security/advisories/GHSA-x5rv-w9pm-8qp8

The issue was introduced in 2.9.22 via this commit https://github.com/juju/juju/commit/05de4b980f6fbf0884c8c774df66a02bd2498cbb

It allows a user with read access to the controller to read arbitrary files from disk.

Before 2.9.22 the backup ID which is used to read from disk, had validation to ensure the file path contained `juju-backup.tar.gz` and would otherwise fetch the backup from gridfs in mongodb if the ID did not.

Now it allows the user to pass an `ID` unvalidated to `os.Open`, sending the file contents back to the requester.

Changed in juju:
assignee:	nobody → Harry Pidcock (hpidcock)
status:	Confirmed → In Progress

Ian Booth (wallyworld) on 2022-12-16

Changed in juju:
status:	In Progress → Fix Committed

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-12-16:

https://github.com/juju/juju/pull/15006

Revision history for this message

yhy (yhy0) wrote on 2022-12-16:

That's great. The repair speed is very fast. Could you apply for a cve for me if you can? The organization is moresec/yhy

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-12-16:

I can see https://github.com/moresec
Is that correct?

Revision history for this message

yhy (yhy0) wrote on 2022-12-16:

no , I work at https://moresec.cn/ and my github url is https://github.com/yhy0

Revision history for this message

yhy (yhy0) wrote on 2022-12-20:

I haven't received the CVE yet. Is that a failure?

Revision history for this message

Ian Booth (wallyworld) wrote on 2022-12-25:

You've been added but we're not publishing it till the fix is released :-)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2023-01-05:

#10

Hello Ian, yhy,

Please use CVE-2023-0092 for this issue.

Does this attack vector require an authenticated user?
What model, controller, or cloud access settings are required to allow this attack to succeed?
What model, controller, or cloud access settings mean the user has code execution privileges?

Does https://github.com/juju/juju/pull/15006 handle this case:
juju download-backup /var/snap/juju-db/common/backups/../../../../../etc/passwd

I'd love to see some tests added for this and relative paths.

Thanks

Revision history for this message

Harry Pidcock (hpidcock) wrote on 2023-01-07:

#11

Juju 2.9.38 is in QA now. Still waiting on Juju 3.0.3 before making this public.

Seth, I'll have some specific tests this week.

Does this attack vector require an authenticated user?
Yes.

What model, controller, or cloud access settings are required to allow this attack to succeed?
User with read access on the controller.

What model, controller, or cloud access settings mean the user has code execution privileges?
Depends on the information read, effectively could read a private ssh key or /etc/shadow and possibly gain access that way.

Canonical Juju QA Bot (juju-qa-bot) on 2023-01-17

Changed in juju:
status:	Fix Committed → Fix Released

Revision history for this message

Ian Booth (wallyworld) wrote on 2023-01-18:

#12

@seth

$ juju download-backup /var/snap/juju-db/common/backups/../../../../../etc/passwd
ERROR Get https://10.105.74.65:17070/model/8cfc8b19-cb52-42ef-8923-345bef8dc145/backups: backup file "/var/snap/juju-db/common/backups/../../../../../etc/passwd" not valid