tripleo

time-of-check to time-of-use (TOCTOU) attack

Bug #2047699 reported by lujiefsi
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
In Progress
Undecided
Unassigned

Bug Description

The vulnerability is at https://github.com/openstack/tripleo-heat-templates/blob/1393d39be367db3acb02508e0e858395a4e4fefa/scripts/undercloud-upgrade-ephemeral-heat.py#L254 and https://github.com/openstack/tripleo-heat-templates/blob/1393d39be367db3acb02508e0e858395a4e4fefa/scripts/undercloud-upgrade-ephemeral-heat.py#L94

At undercloud-upgrade-ephemeral-heat.py#L254, we frist write password into a file, then chmod the mode of the file as 600.

   def export_passwords(heat, stack, stack_dir):
    passwords_path = os.path.join(
        stack_dir, "tripleo-{}-passwords.yaml".format(stack))
    LOG.info("Exporting passwords for stack %s to %s"
             % (stack, passwords_path))
    passwords = plan_utils.generate_passwords(heat=heat, container=stack)
    password_params = dict(parameter_defaults=passwords)
    with open(passwords_path, 'w') as f:
        f.write(yaml.safe_dump(password_params))
    os.chmod(passwords_path, 0o600)

When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.

See original description
lujiefsi (lujiefsi)
description: updated
Revision history for this message
lujiefsi (lujiefsi) wrote :

fix can be like :https://github.com/openstack/openstack-ansible/blob/5f9173cb753f87eeec5a87716115dbc9670a03ce/scripts/pw-token-gen.py#L201

description: updated
description: updated
lujiefsi (lujiefsi)
description: updated
lujiefsi (lujiefsi)
description: updated
description: updated
lujiefsi (lujiefsi)
description: updated
lujiefsi (lujiefsi)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

It's my understanding that the TripleO project (including tripleo-heat-templates and python-tripleoclient) is no longer actively maintained, so it may make more sense to switch this report to public. I've subscribed the tripleo-coresec team in hopes that some of its members may still be around to confirm.

lujiefsi (lujiefsi)
description: updated
lujiefsi (lujiefsi)
description: updated
description: updated
lujiefsi (lujiefsi)
description: updated
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/906182

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/906182
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.