Cinder

Un-sanitized eval statement in EMC volume driver

Bug #1366990 reported by Travis McPeak on 2014-09-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Invalid	Low	Xing Yang
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

In the EMC volume driver, the function _find_lun calls eval on a string without doing any kind of input sanitization:

https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/emc/emc_vmax_common.py#L1277

I haven't tracked down all the ways that "provider_location" can be set, but if an attacker is able to be set to something like "__import__('os').system('rm -rf /etc')" the etc directory will be removed with the privileges of the user that Cinder runs as.

Maybe somebody more familiar with Cinder and what "provider_location" does can chime in to whether it can be set to something malicious or not, and if so, how difficult that is.

Eval should never be called on un-sanitized or untrusted input.

If we are sure that there is no way for a malicious user to set this parameter, it can be made public, and should be viewed as a security hardening improvement.

Tags:

Jeremy Stanley (fungi) on 2014-09-08

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-09-11:

Was submitted as public bug on the duplicate.

information type:

Private Security → Public Security

Xing Yang (xing-yang) on 2014-09-11

Changed in cinder:
assignee:	nobody → Xing Yang (xing-yang)

Revision history for this message

Xing Yang (xing-yang) wrote on 2014-09-11:

provider_location is set by the driver. In the VMAX driver, this is the object path of a volume in SMI-S term. It is in a very specific format. It will be set when the volume is created. When retrieving an existing volume using this object path stored in provider_location, the volume can be found faster on the array using the SMI-S query. If provider_location is changed by someone, the driver won't be able to find the volume any more and therefore can't run any volume operations such as clone, attach, delete, etc, but it won't cause any damage to an existing volume either.

Revision history for this message

Duncan Thomas (duncan-thomas) wrote on 2014-09-11:

As Ying says, not really a vulnerability since the provider location is generated by the driver and you need DB write access to change it. Putting in some hardening is no bad thing, but not really exploitable.

Revision history for this message

Xing Yang (xing-yang) wrote on 2014-09-11:

The input is not from a user. When a volume is created, the object path is retrieved from SMI-S and stored in provider_location by the driver. I don't see security vulnerability here.

Revision history for this message

Xing Yang (xing-yang) wrote on 2014-09-11:

Sure, we can add some check there.

Changed in cinder:
importance:	Undecided → Low
status:	New → In Progress

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-09-11:

OK, unless someone disagrees, i'll remove the security flag on this one Monday.

Thierry Carrez (ttx) on 2014-09-15

information type:	Public Security → Public
Changed in ossa:
status:	Incomplete → Won't Fix

Xing Yang (xing-yang) on 2014-10-26

Changed in cinder:
status:	In Progress → Triaged

Mike Perez (thingee) on 2014-10-26

tags:

added: drivers emc

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2015-11-01: Bug Cleanup

Closing stale bug. If this is still an issue please reopen.

Changed in cinder:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1368013

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.