[OSSA 2014-033] GlusterFS driver uses unsafe qcow2 format detection (CVE-2014-3641)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Eric Harney | ||
Icehouse |
Fix Released
|
High
|
Eric Harney | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
Concern about this was raised by Duncan Thomas.
The GlusterFS Cinder driver uses "qemu-img info" to guess at whether a volume file is a raw image or a qcow2 image.
This is unsafe because if a user writes a qcow2 header into a volume, Cinder will interpret it as a qcow2-formatted image. It is believed this can lead to data being extracted from files on the Cinder volume host by writing a qcow2 header with a backing file pointer referencing a path to a file, and then cloning the volume. (Other similar paths may exist.)
To fix this, Cinder needs to track the file format of any file being processed this way and use "qemu-img convert -f <source_format>" when performing operations like volume clone, which disables qemu-img's auto format detection.
This seems to affect the GlusterFS driver, but it is possible that other attack vectors exist. The convert_image() method in cinder/
Fixing this in the GlusterFS driver is not simple: since volume/snapshot qcow2 chains are manipulated by Nova as well as Cinder, we will need to have Nova pass information back to Cinder when an operation such as volume_
Since the above is a large effort, it may be possible to mitigate this in the short-term by having Cinder enforce some rules about whether a backing file pointer is valid before performing an operation on the file. For the GlusterFS driver that would be: must start with 'volume-<x>' and not contain '/', since our valid usage of this only points to another file named volume-<id>.<id> and does not use paths.
This attack hasn't yet been demonstrated to work, but this is a commonly known problem when processing qcow2 files.
CVE References
Changed in cinder: | |
status: | New → In Progress |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | Confirmed → Triaged |
summary: |
- GlusterFS driver uses unsafe qcow2 format detection + GlusterFS driver uses unsafe qcow2 format detection (CVE-2014-3641) |
no longer affects: | cinder/havana |
Changed in cinder: | |
milestone: | none → juno-rc1 |
Changed in cinder: | |
assignee: | nobody → Eric Harney (eharney) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- GlusterFS driver uses unsafe qcow2 format detection (CVE-2014-3641) + [OSSA 2014-033] GlusterFS driver uses unsafe qcow2 format detection + (CVE-2014-3641) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | none → juno-rc2 |
no longer affects: | cinder/juno |
Changed in cinder: | |
milestone: | juno-rc2 → 2014.2 |
Thanks for the report, the advisory task is in an incomplete state pending feedback from the cinder-coresec team.