The vulnerability is at https://github.com/openstack/tripleo-heat-templates/blob/1393d39be367db3acb02508e0e858395a4e4fefa/scripts/undercloud-upgrade-ephemeral-heat.py#L254 and https://github.com/openstack/tripleo-heat-templates/blob/1393d39be367db3acb02508e0e858395a4e4fefa/scripts/undercloud-upgrade-ephemeral-heat.py#L94
At undercloud-upgrade-ephemeral-heat.py#L254, we frist write password into a file, then chmod the mode of the file as 600.
def export_passwords(heat, stack, stack_dir):
passwords_path = os.path.join(
stack_dir, "tripleo-{}-passwords.yaml".format(stack))
LOG.info("Exporting passwords for stack %s to %s"
% (stack, passwords_path))
passwords = plan_utils.generate_passwords(heat=heat, container=stack)
password_params = dict(parameter_defaults=passwords)
with open(passwords_path, 'w') as f:
f.write(yaml.safe_dump(password_params))
os.chmod(passwords_path, 0o600)
When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.
fix can be like :https:/ /github. com/openstack/ openstack- ansible/ blob/5f9173cb75 3f87eeec5a87716 115dbc9670a03ce /scripts/ pw-token- gen.py# L201