Glance

Bug #1554288
Comment #16

Comment 16 for bug 1554288

Revision history for this message

chro eric (chrorxu) wrote on 2016-03-10: Re: [Bug 1554288] Re: [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability Notification

#16

I think because glance-registery service listen in 0.0.0.0 address, except
those people blocked by Firewall access 9191 port, glance-registery service
still can be accessed by any people which is not firewall blocked, if these
people include a insider attacker, he may not be admin user, he has not
admin priviledge, he is still can launch DoS attack. that is to say, for
the vulnerability, non-admin insider user also can attack, so impact is
greater than only admin-user attack.

On Fri, Mar 11, 2016 at 7:13 AM, Ch Chror <email address hidden> wrote:

> I agree deploy glance-registery should be protected environment, I think
> block glance-registery service via Firewall in gateway only can protected
> from internet attack, In internal network, I mean for theose insider, still
> have admin user also have non-admin user, if a malcious inside attacker
> which is a non-admin user(he has not admin priviledge), he can still cause
> DoS attack.
>
> BTW, because I see from above discussion, most foucs in admin user can
> attack, but for the vulnerability, non-admin insider user also can attack.
>
>
>
> On Fri, Mar 11, 2016 at 6:55 AM, Jeremy Stanley <email address hidden> wrote:
>
>> Are you implying that there's no way to block access from tenant/project
>> networks to the network on which Glance's registry service is exposed?
>> Or are you saying in your particular test environment you deployed
>> Glance in such a way that you exposed the registry endpoint to untrusted
>> (non-admin/non-management) systems?
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1554288
>>
>> Title:
>> [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability
>> Notification
>>
>> Status in Glance:
>> New
>> Status in OpenStack Security Advisory:
>> Incomplete
>>
>> Bug description:
>> This issue is being treated as a potential security risk under
>> embargo. Please do not make any public mention of embargoed (private)
>> security vulnerabilities before their coordinated publication by the
>> OpenStack Vulnerability Management Team in the form of an official
>> OpenStack Security Advisory. This includes discussion of the bug or
>> associated fixes in public forums such as mailing lists, code review
>> systems and bug trackers. Please also avoid private disclosure to
>> other individuals not already approved for access to this information,
>> and provide this same reminder to those who are made aware of the
>> issue prior to publication. All discussion should remain confined to
>> this private bug report, and any proposed fixes should be added to the
>> bug as attachments.
>>
>> --
>>
>> Vulnerability Notification
>> March 7, 2016
>> Tracking Case #: FG-VD-16-015
>>
>> Dear Openstack,
>>
>> The following information pertains to information discovered by
>> Fortinet's FortiGuard Labs. It has been determined that a
>> vulnerability exists in Openstack Glance module. To streamline the
>> disclosure process, we have created a preliminary advisory which you
>> can find below. This upcoming advisory is purely intended as a
>> reference, and does not contain sensitive information such as proof of
>> concept code.
>>
>> As a mature corporation involved in security research, we strive to
>> responsibly disclose vulnerability information. We will not post an
>> advisory until we determine it is appropriate to do so in co-
>> ordination with the vendor unless a resolution cannot be reached. We
>> will not disclose full proof of concept, only details relevant to the
>> advisory.
>>
>> We look forward to working closely with you to resolve this issue, and
>> kindly ask for your co-operation during this time. Please let us know
>> if you have any further questions, and we will promptly respond to
>> address any issues.
>>
>> If this message is not encrypted, it is because we could not find your
>> key to do so. If you have one available for use, please notify us and
>> we will ensure that this is used in future correspondence. We ask you
>> use our public PGP key to encrypt and communicate any sensitive
>> information with us. You may find the key on our FortiGuard center at:
>> http://www.fortiguard.com/pgp_key.html.
>>
>> Type of Vulnerability & Repercussions:
>> DoS
>>
>> Affected Software:
>> Ubuntu 14.04.3 with latest repository installed
>> # apt-get install software-properties-common
>> # add-apt-repository cloud-archive:liberty
>>
>> Upcoming Advisory Reference:
>> http://www.fortiguard.com/advisory/UpcomingAdvisories.html
>>
>> Credits:
>> This vulnerability was discovered by Fortinet's FortiGuard Labs.
>>
>> Proof of Concept/How to Reproduce:
>> 1. Run script "sh curl_get_token_demo_work.txt" to get a valid
>> non-admin or admin user token. Need to replace "tenantName", "username",
>> "password" with your Openstack credential.
>> 2. Open script glance_DoS.py, and replace the line 30 "x-auth-token"
>> value with the above token value, also replace the IP in url "
>> http://10.0.0.11:9191/images" with your Openstack control node IP
>> address.
>> 3. Run script glance_DoS.py which will keep running forever. You can
>> check the images added by the script using console command "glance
>> image-list" or clicking Dashboard images column. You will notice you
>> cannnot delete the images added by the script. It prompts failure. Refer to
>> the screenshots glance_cli_delete_fail.png and
>> dashboard_delete_garbage_image_fail.png.
>> 4. Because either non-admin or admin user cannot delete the garbage
>> images, with the above PoC running forever, more and more garbage images
>> are added. So finally DoS can be caused because resource is exhausted or
>> glance database query is very very slow.
>>
>> Notes:
>> 1) Run the PoC glance_DoS.py in Windows 7.
>>
>> Additional Information:
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/glance/+bug/1554288/+subscriptions
>>
>
>

On Fri, Mar 11, 2016 at 7:13 AM, Ch Chror <chrorxu@gmail.com> wrote:

> I agree deploy glance-registery should be protected environment, I think
> block glance-registery service via Firewall in gateway only can protected
> from internet attack, In internal network, I mean for theose insider, still
> have admin user also have non-admin user, if a malcious inside attacker
> which is a non-admin user(he has not admin priviledge),  he can still cause
> DoS attack.
>
> BTW, because I see from above discussion, most foucs in admin user can
> attack, but for the vulnerability, non-admin insider user also can attack.
>
>
>
> On Fri, Mar 11, 2016 at 6:55 AM, Jeremy Stanley <fungi@yuggoth.org> wrote:
>
>> Are you implying that there's no way to block access from tenant/project
>> networks to the network on which Glance's registry service is exposed?
>> Or are you saying in your particular test environment you deployed
>> Glance in such a way that you exposed the registry endpoint to untrusted
>> (non-admin/non-management) systems?
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1554288
>>
>> Title:
>>   [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability
>>   Notification
>>
>> Status in Glance:
>>   New
>> Status in OpenStack Security Advisory:
>>   Incomplete
>>
>> Bug description:
>>   This issue is being treated as a potential security risk under
>>   embargo. Please do not make any public mention of embargoed (private)
>>   security vulnerabilities before their coordinated publication by the
>>   OpenStack Vulnerability Management Team in the form of an official
>>   OpenStack Security Advisory. This includes discussion of the bug or
>>   associated fixes in public forums such as mailing lists, code review
>>   systems and bug trackers. Please also avoid private disclosure to
>>   other individuals not already approved for access to this information,
>>   and provide this same reminder to those who are made aware of the
>>   issue prior to publication. All discussion should remain confined to
>>   this private bug report, and any proposed fixes should be added to the
>>   bug as attachments.
>>
>>   --
>>
>>   Vulnerability Notification
>>   March 7, 2016
>>   Tracking Case #: FG-VD-16-015
>>
>>   Dear Openstack,
>>
>>   The following information pertains to information discovered by
>>   Fortinet's FortiGuard Labs. It has been determined that a
>>   vulnerability exists in Openstack Glance module.  To streamline the
>>   disclosure process, we have created a preliminary advisory which you
>>   can find below. This upcoming advisory is purely intended as a
>>   reference, and does not contain sensitive information such as proof of
>>   concept code.
>>
>>   As a mature corporation involved in security research, we strive to
>>   responsibly disclose vulnerability information. We will not post an
>>   advisory until we determine it is appropriate to do so in co-
>>   ordination with the vendor unless a resolution cannot be reached. We
>>   will not disclose full proof of concept, only details relevant to the
>>   advisory.
>>
>>   We look forward to working closely with you to resolve this issue, and
>>   kindly ask for your co-operation during this time. Please let us know
>>   if you have any further questions, and we will promptly respond to
>>   address any issues.
>>
>>   If this message is not encrypted, it is because we could not find your
>>   key to do so. If you have one available for use, please notify us and
>>   we will ensure that this is used in future correspondence. We ask you
>>   use our public PGP key to encrypt and communicate any sensitive
>>   information with us. You may find the key on our FortiGuard center at:
>>   http://www.fortiguard.com/pgp_key.html.
>>
>>   Type of Vulnerability & Repercussions:
>>     DoS
>>
>>   Affected Software:
>>     Ubuntu 14.04.3 with latest repository installed
>>     # apt-get install software-properties-common
>>     # add-apt-repository cloud-archive:liberty
>>
>>   Upcoming Advisory Reference:
>>     http://www.fortiguard.com/advisory/UpcomingAdvisories.html
>>
>>   Credits:
>>     This vulnerability was discovered by Fortinet's FortiGuard Labs.
>>
>>   Proof of Concept/How to Reproduce:
>>     1. Run script "sh curl_get_token_demo_work.txt" to get a valid
>> non-admin or admin user token. Need to replace "tenantName", "username",
>> "password" with your Openstack credential.
>>     2. Open script glance_DoS.py, and replace the line 30 "x-auth-token"
>> value with the above token value, also replace the IP in url "
>> http://10.0.0.11:9191/images" with your Openstack control node IP
>> address.
>>     3. Run script glance_DoS.py which will keep running forever. You can
>> check the images added by the script using console command "glance
>> image-list" or clicking Dashboard images column. You will notice you
>> cannnot delete the images added by the script. It prompts failure. Refer to
>> the screenshots glance_cli_delete_fail.png and
>> dashboard_delete_garbage_image_fail.png.
>>     4. Because either non-admin or admin user cannot delete the garbage
>> images, with the above PoC running forever, more and more garbage images
>> are added. So finally DoS can be caused because resource is exhausted or
>> glance database query is very very slow.
>>
>>    Notes:
>>        1) Run the PoC glance_DoS.py in Windows 7.
>>
>>    Additional Information:
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/glance/+bug/1554288/+subscriptions
>>
>
>