[OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231)

Bug #1377981 reported by Tristan Cacqueray on 2014-10-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Medium
Tristan Cacqueray
Icehouse
Undecided
Tristan Cacqueray
OpenStack Compute (nova)
Undecided
Tristan Cacqueray
Icehouse
Undecided
Tristan Cacqueray
OpenStack Security Advisory
Medium
Tristan Cacqueray
oslo-incubator
Undecided
Tristan Cacqueray
Icehouse
Undecided
Tristan Cacqueray

Bug Description

Former bugs:
  https://bugs.launchpad.net/ossa/+bug/1343604
  https://bugs.launchpad.net/ossa/+bug/1345233

The ssh_execute method is still affected in Cinder and Nova Icehouse release.
It is prone to password leak if:
- passwords are used on the command line
- execution fail
- calling code catch and log the exception

The missing fix from oslo-incubator to be merged is: 6a60f84258c2be3391541dbe02e30b8e836f6c22

CVE References

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Thierry Carrez (ttx) on 2014-10-06
Changed in cinder:
status: New → In Progress
Changed in nova:
status: New → In Progress
Changed in oslo-incubator:
status: New → Fix Released
Changed in ossa:
status: New → Triaged
Changed in ossa:
status: Triaged → In Progress
Changed in nova:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Changed in cinder:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Thierry Carrez (ttx) on 2014-10-06
tags: added: juno-rc-potential
Changed in ossa:
importance: Undecided → Medium

Here is the updated impact description.

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder and Nova (versions up to 2014.1.3)
                    Trove (versions up to 2014.1.2)

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that have failed or when the mask_password did not mask passwords properly.

Jeremy Stanley (fungi) wrote :

I have a couple minor English grammar corrections to suggest:

"... An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed or when mask_password did not mask passwords properly."

Aside from that, the impact description looks fine. The products header is conflated with our usual versions header, but as this is for different versions of two projects that is probably unavoidable.

information type: Public → Public Security

Reviewed: https://review.openstack.org/126052
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567
Submitter: Jenkins
Branch: master

commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:57:01 2014 +0000

    Sync latest processutils from oslo-incubator

    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.

    ------------------------------------------------

    oslo-incubator head:

    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <email address hidden>
    Date: Mon Sep 29 23:12:14 2014 +0000

        Merge "Script to list unreleased changes in all oslo projects"

    -----------------------------------------------

    The sync pulls in the following changes (newest to oldest):

    6a60f842 - Mask passwords in exceptions and error messages (SSH)

    -----------------------------------------------

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

Changed in cinder:
status: In Progress → Fix Committed
summary: Missing fix for ssh_execute (Exceptions thrown may contain passwords)
+ (CVE-2014-7230, CVE-2014-7231)

@fungi Thanks!

Here is an updated impact description, including assigned CVE:

Title: Potential leak of passwords into log files
Reporter: Amrith Kumar (Tesora)
Products: Cinder and Nova (versions up to 2014.1.3)
                    Trove (versions up to 2014.1.2)

Description:
Amrith Kumar from Tesora reported two vulnerabilities in the processutils.execute() and strutils.mask_password() functions available from oslo-incubator that are copied into each project's code. An attacker with read access to the services' logs may obtain passwords used as a parameter of a command that has failed (CVE-2014-7230) or when mask_password did not mask passwords properly (CVE-2014-7231). All Cinder, Nova and Trove setups are affected.

Thierry Carrez (ttx) on 2014-10-07
Changed in cinder:
milestone: none → juno-rc2
tags: removed: juno-rc-potential
Thierry Carrez (ttx) on 2014-10-07
Changed in cinder:
importance: Undecided → Medium
Joe Gordon (jogo) on 2014-10-07
Changed in nova:
milestone: none → juno-rc2

Reviewed: https://review.openstack.org/126047
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8e7d6a60ff92df19aceb0972566b48992eee18b4
Submitter: Jenkins
Branch: master

commit 8e7d6a60ff92df19aceb0972566b48992eee18b4
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.

    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.

    OSSA is aware of this change request.

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/126592
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d5efe6703297761215907eeaf703cec040e6ad25
Submitter: Jenkins
Branch: proposed/juno

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:57:01 2014 +0000

    Sync latest processutils from oslo-incubator

    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.

    ------------------------------------------------

    oslo-incubator head:

    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <email address hidden>
    Date: Mon Sep 29 23:12:14 2014 +0000

        Merge "Script to list unreleased changes in all oslo projects"

    -----------------------------------------------

    The sync pulls in the following changes (newest to oldest):

    6a60f842 - Mask passwords in exceptions and error messages (SSH)

    -----------------------------------------------

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)

Changed in cinder:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/126594
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ee3594072a7ef1c3f5661021fb31118069cbd646
Submitter: Jenkins
Branch: proposed/juno

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a user with read access to
    the log files. It is therefore considered prudent to invoke
    strutils.mask_password() on the command, stdout and stderr in the
    exception. A test case has been added (to oslo-incubator) in order to
    ensure that all three are properly masked.

    An earlier commit (853d8f9897f8563851441108a9be26b10908c076) failed
    to address ssh_execute(). This change set addresses ssh_execute.

    OSSA is aware of this change request.

    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981

Changed in nova:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/126665
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=390259bb40f85b20ea181166bf082f8b97c0a824
Submitter: Jenkins
Branch: stable/icehouse

commit 390259bb40f85b20ea181166bf082f8b97c0a824
Author: Tristan Cacqueray <email address hidden>
Date: Tue Oct 7 18:55:54 2014 +0000

    Sync process utils from oslo

    This patch backports the missing change to fix ssh_execute password leak

    ------------------------------------------------
    The sync pulls in the following changes:

    105169f8 - Mask passwords in exceptions and error messages (SSH)
    -----------------------------------------------

    Closes-Bug: 1377981
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958

Reviewed: https://review.openstack.org/126699
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=56b62b79a75624305858c10a5f285b08374b7506
Submitter: Jenkins
Branch: stable/icehouse

commit 56b62b79a75624305858c10a5f285b08374b7506
Author: Tristan Cacqueray <email address hidden>
Date: Tue Oct 7 19:36:07 2014 +0000

    Sync process utils from oslo

    This patch backports the missing change to fix ssh_execute password leak

    ------------------------------------------------
    The sync pulls in the following changes:

    105169f8 - Mask passwords in exceptions and error messages (SSH)
    -----------------------------------------------

    Closes-Bug: 1377981
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958

Changed in oslo-incubator:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
summary: - Missing fix for ssh_execute (Exceptions thrown may contain passwords)
- (CVE-2014-7230, CVE-2014-7231)
+ [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may
+ contain passwords) (CVE-2014-7230, CVE-2014-7231)
Changed in ossa:
status: In Progress → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in nova:
milestone: juno-rc2 → 2014.2
Thierry Carrez (ttx) on 2014-10-16
Changed in cinder:
milestone: juno-rc2 → 2014.2
Download full text (7.7 KiB)

Reviewed: https://review.openstack.org/128894
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9825784742d010a902ff149765269ad32a8a0dfd
Submitter: Jenkins
Branch: master

commit 7c9aa6da92805f20083203a6ec8f93b1b592fc13
Author: He Jie Xu <email address hidden>
Date: Sun Oct 5 00:20:01 2014 +0800

    Fix pci_request_id break the upgrade from icehouse to juno

    commit a8a5d44c8aca218f00649232c2b8a46aee59b77e add pci_request_id
    as one item for the request_network tuple. But the icehouse code
    assume only three items in the tuple.

    This patch filters pci_request_id out from the tuple.

    Cherry-Pick from:
    https://review.openstack.org/#/c/126144/6

    Change-Id: I991e1c68324fe92fac647583f3ec8f6aec637913
    Closes-Bug: #1377447

commit 10a5eecd0973096b57efd31f8b27d7295a44ab89
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:22:36 2014 +0200

    Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_file nova

    Change-Id: I64b2b468f7edd44dbb445b5b4e68b65c3fa53d9e

commit 3f9003270efd9ac036f3c229b36baa0bb05203bf
Author: Russell Bryant <email address hidden>
Date: Wed Oct 8 12:14:31 2014 +0000

    Fix broken cert revocation

    Cert revocation was broken by
    32b0adb591f80ad2c5c19519b4ffc2b55dbea672. os.chdir() never returns
    anything, so this method would always raise an exception. The proper
    way to handle an error from os.chdir() is to catch OSError.

    There were existing tests for this code, but they conveniently mocked
    os.chdir() to return values that are never actually returned. The
    tests were fixed to match the real behavior.

    Change-Id: I7549bb60a7d43d53d6f81eecea31cbb9720cc8b6
    Closes-bug: #1376368
    (cherry picked from commit c8538208da00c3b0d0646629c9d668aa69944b85)

commit 6ed57972093835f449ad645b3783bbb8b3c4245e
Author: Russell Bryant <email address hidden>
Date: Fri Oct 3 16:41:03 2014 -0400

    Update rpc version aliases for juno

    Update all of the rpc client API classes to include a version alias
    for the latest version implemented in Juno. This alias is needed when
    doing rolling upgrades from Juno to Kilo. With this in place, you can
    ensure all services only send messages that both Juno and Kilo will
    understand.

    Closes-bug: #1378786
    Change-Id: Ia81538130bf8530b70b5f55c7a3d565903ff54b4
    (cherry picked from commit f98d725103c53e767a1cddb0b7e2c3822309db17)

commit ee3594072a7ef1c3f5661021fb31118069cbd646
Author: Tristan Cacqueray <email address hidden>
Date: Fri Oct 3 19:53:42 2014 +0000

    Mask passwords in exceptions and error messages

    When a ProcessExecutionError is thrown by processutils.ssh_execute(),
    the exception may contain information such as password. Upstream
    applications that just log the message (as several appear to do)
    could inadvertently expose these passwords to a u...

Read more...

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/128920

Download full text (11.8 KiB)

Reviewed: https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch: master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

    Fix LVM iSCSI driver tgtadm CHAP authentication

    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.

    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

    Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.

    This patch changes volume export behavior that exports a volume only if
    the volume status is 'in-use'.

    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <email address hidden>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <email address hidden>
Date: Fri Oct 10 23:06:27 2014 +0530

    Revert "Relocate volume to compliant datastore"

    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.

    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:25:28 2014 +0200

    Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder

    Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <email address hidden>
Date: Thu Aug 28 16:03:41 2014 +0530

    NetApp fix eseries unit test mock clean

 ...

Kashyap Chamarthy (kashyapc) wrote :

(Sorry, please disregard comment#20 -- it was an inadvertent typo, and meant for a different bug -- LP# 1562681)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers