Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Medium
|
Dane Fichter | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Robert Clark |
Bug Description
This have been reported by Daniel P. Berrange:
"
In the OpenStack Liberty release, the Glance project added support for image signature verification.
The verification code was added in the following git commit
https:/
Unfortunately the design of this signature verification method is flawed by design.
The generalized approach to creating signatures of content is to apply a hash to the content and then encrypt it in some manner. Consider that the signature is defined to use hash=sha256 and cipher=rsa we can describe the signature computation as
signature = rsa(sha256(
In the case of verifying a disk image, the content we care about verifying is the complete disk image file. Unfortunately, the glance specification chose *not* to compute the signature against the disk image file. Glance already had an MD5 checksum calculated for the disk image file, so they instead chose to compute the signature against the MD5 checksum instead. ie glance is running
signature = rsa(sha256(
This degrades the security of the system to that of the weakest hash, which is obviously MD5 here.
The code where glance verifies the signature is in the glance/
result = signature_
self.context, checksum, self.image.
if result:
LOG.info(
self.image.
The 'checksum' variable is populate by the glance_store driver, but it is hardcoded to always be md5 in all current glance storage backends:
$ git grep hashlib glance_
glance_
glance_
glance_
glance_
glance_
glance_
hashlib.md5()
glance_
hashlib.md5()
Since we will soon be shipping OpenStack Liberty release, we need to at least give a security notice to alert our customers to the fact that the signature verification is cryptographically weak/broken. IMHO, it quite likely deserves a CVE though
NB, this is public knowledge as I first became aware of this flawed design in comments / discussion on a public specification proposed to implement the same approach in the Nova project.
My suggested way to fix this is to simply abandon the current impl and re-do it such that it directly computes the signature against the disk image, and does not use the existing md5 checksum in any way.
Regards,
Daniel
"
Mailing list thread for Nova impl: http://
Nova Spec: https:/
summary: |
- Use of MD5 in OpenStack Glance image signature + Use of MD5 in OpenStack Glance image signature (CVE-2015-8234) |
Changed in ossn: | |
importance: | Undecided → High |
assignee: | nobody → Robert Clark (robert-clark) |
Changed in glance: | |
importance: | Undecided → Medium |
status: | Triaged → In Progress |
assignee: | nobody → Dane Fichter (dane-fichter) |
milestone: | none → newton-1 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.