Glance

Bug #1554288
Comment #15

Comment 15 for bug 1554288

Revision history for this message

chro eric (chrorxu) wrote on 2016-03-10: Re: [Bug 1554288] Re: [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability Notification

#15

I agree deploy glance-registery should be protected environment, I think
block glance-registery service via Firewall in gateway only can protected
from internet attack, In internal network, I mean for theose insider, still
have admin user also have non-admin user, if a malcious inside attacker
which is a non-admin user(he has not admin priviledge), he can still cause
DoS attack.

BTW, because I see from above discussion, most foucs in admin user can
attack, but for the vulnerability, non-admin insider user also can attack.

On Fri, Mar 11, 2016 at 6:55 AM, Jeremy Stanley <email address hidden> wrote:

> Are you implying that there's no way to block access from tenant/project
> networks to the network on which Glance's registry service is exposed?
> Or are you saying in your particular test environment you deployed
> Glance in such a way that you exposed the registry endpoint to untrusted
> (non-admin/non-management) systems?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1554288
>
> Title:
> [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability
> Notification
>
> Status in Glance:
> New
> Status in OpenStack Security Advisory:
> Incomplete
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> Vulnerability Notification
> March 7, 2016
> Tracking Case #: FG-VD-16-015
>
> Dear Openstack,
>
> The following information pertains to information discovered by
> Fortinet's FortiGuard Labs. It has been determined that a
> vulnerability exists in Openstack Glance module. To streamline the
> disclosure process, we have created a preliminary advisory which you
> can find below. This upcoming advisory is purely intended as a
> reference, and does not contain sensitive information such as proof of
> concept code.
>
> As a mature corporation involved in security research, we strive to
> responsibly disclose vulnerability information. We will not post an
> advisory until we determine it is appropriate to do so in co-
> ordination with the vendor unless a resolution cannot be reached. We
> will not disclose full proof of concept, only details relevant to the
> advisory.
>
> We look forward to working closely with you to resolve this issue, and
> kindly ask for your co-operation during this time. Please let us know
> if you have any further questions, and we will promptly respond to
> address any issues.
>
> If this message is not encrypted, it is because we could not find your
> key to do so. If you have one available for use, please notify us and
> we will ensure that this is used in future correspondence. We ask you
> use our public PGP key to encrypt and communicate any sensitive
> information with us. You may find the key on our FortiGuard center at:
> http://www.fortiguard.com/pgp_key.html.
>
> Type of Vulnerability & Repercussions:
> DoS
>
> Affected Software:
> Ubuntu 14.04.3 with latest repository installed
> # apt-get install software-properties-common
> # add-apt-repository cloud-archive:liberty
>
> Upcoming Advisory Reference:
> http://www.fortiguard.com/advisory/UpcomingAdvisories.html
>
> Credits:
> This vulnerability was discovered by Fortinet's FortiGuard Labs.
>
> Proof of Concept/How to Reproduce:
> 1. Run script "sh curl_get_token_demo_work.txt" to get a valid
> non-admin or admin user token. Need to replace "tenantName", "username",
> "password" with your Openstack credential.
> 2. Open script glance_DoS.py, and replace the line 30 "x-auth-token"
> value with the above token value, also replace the IP in url "
> http://10.0.0.11:9191/images" with your Openstack control node IP address.
> 3. Run script glance_DoS.py which will keep running forever. You can
> check the images added by the script using console command "glance
> image-list" or clicking Dashboard images column. You will notice you
> cannnot delete the images added by the script. It prompts failure. Refer to
> the screenshots glance_cli_delete_fail.png and
> dashboard_delete_garbage_image_fail.png.
> 4. Because either non-admin or admin user cannot delete the garbage
> images, with the above PoC running forever, more and more garbage images
> are added. So finally DoS can be caused because resource is exhausted or
> glance database query is very very slow.
>
> Notes:
> 1) Run the PoC glance_DoS.py in Windows 7.
>
> Additional Information:
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/glance/+bug/1554288/+subscriptions
>

BTW, because I see from above discussion, most foucs in admin user can
attack, but for the vulnerability, non-admin insider user also can attack.

On Fri, Mar 11, 2016 at 6:55 AM, Jeremy Stanley <fungi@yuggoth.org> wrote:

> Are you implying that there's no way to block access from tenant/project
> networks to the network on which Glance's registry service is exposed?
> Or are you saying in your particular test environment you deployed
> Glance in such a way that you exposed the registry endpoint to untrusted
> (non-admin/non-management) systems?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1554288
>
> Title:
>   [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability
>   Notification
>
> Status in Glance:
>   New
> Status in OpenStack Security Advisory:
>   Incomplete
>
> Bug description:
>   This issue is being treated as a potential security risk under
>   embargo. Please do not make any public mention of embargoed (private)
>   security vulnerabilities before their coordinated publication by the
>   OpenStack Vulnerability Management Team in the form of an official
>   OpenStack Security Advisory. This includes discussion of the bug or
>   associated fixes in public forums such as mailing lists, code review
>   systems and bug trackers. Please also avoid private disclosure to
>   other individuals not already approved for access to this information,
>   and provide this same reminder to those who are made aware of the
>   issue prior to publication. All discussion should remain confined to
>   this private bug report, and any proposed fixes should be added to the
>   bug as attachments.
>
>   --
>
>   Vulnerability Notification
>   March 7, 2016
>   Tracking Case #: FG-VD-16-015
>
>   Dear Openstack,
>
>   The following information pertains to information discovered by
>   Fortinet's FortiGuard Labs. It has been determined that a
>   vulnerability exists in Openstack Glance module.  To streamline the
>   disclosure process, we have created a preliminary advisory which you
>   can find below. This upcoming advisory is purely intended as a
>   reference, and does not contain sensitive information such as proof of
>   concept code.
>
>   As a mature corporation involved in security research, we strive to
>   responsibly disclose vulnerability information. We will not post an
>   advisory until we determine it is appropriate to do so in co-
>   ordination with the vendor unless a resolution cannot be reached. We
>   will not disclose full proof of concept, only details relevant to the
>   advisory.
>
>   We look forward to working closely with you to resolve this issue, and
>   kindly ask for your co-operation during this time. Please let us know
>   if you have any further questions, and we will promptly respond to
>   address any issues.
>
>   If this message is not encrypted, it is because we could not find your
>   key to do so. If you have one available for use, please notify us and
>   we will ensure that this is used in future correspondence. We ask you
>   use our public PGP key to encrypt and communicate any sensitive
>   information with us. You may find the key on our FortiGuard center at:
>   http://www.fortiguard.com/pgp_key.html.
>
>   Type of Vulnerability & Repercussions:
>     DoS
>
>   Affected Software:
>     Ubuntu 14.04.3 with latest repository installed
>     # apt-get install software-properties-common
>     # add-apt-repository cloud-archive:liberty
>
>   Upcoming Advisory Reference:
>     http://www.fortiguard.com/advisory/UpcomingAdvisories.html
>
>   Credits:
>     This vulnerability was discovered by Fortinet's FortiGuard Labs.
>
>   Proof of Concept/How to Reproduce:
>     1. Run script "sh curl_get_token_demo_work.txt" to get a valid
> non-admin or admin user token. Need to replace "tenantName", "username",
> "password" with your Openstack credential.
>     2. Open script glance_DoS.py, and replace the line 30 "x-auth-token"
> value with the above token value, also replace the IP in url "
> http://10.0.0.11:9191/images" with your Openstack control node IP address.
>     3. Run script glance_DoS.py which will keep running forever. You can
> check the images added by the script using console command "glance
> image-list" or clicking Dashboard images column. You will notice you
> cannnot delete the images added by the script. It prompts failure. Refer to
> the screenshots glance_cli_delete_fail.png and
> dashboard_delete_garbage_image_fail.png.
>     4. Because either non-admin or admin user cannot delete the garbage
> images, with the above PoC running forever, more and more garbage images
> are added. So finally DoS can be caused because resource is exhausted or
> glance database query is very very slow.
>
>    Notes:
>        1) Run the PoC glance_DoS.py in Windows 7.
>
>    Additional Information:
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/glance/+bug/1554288/+subscriptions
>