Glance

Bug #1990157
Comment #4

Comment 4 for bug 1990157

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2022-09-19: Re: Malicious image data modification can happen when using COW

@Jeremy: I think it's fair to say that this issue was present at the time of OSSA 2016-006 but nobody realized it ... that's because after the initial bug was fixed, a subsequent bug was filed that did identify the issue. Here's the history of this problem:

1. "[OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757)"
https://bugs.launchpad.net/glance/+bug/1525915
what: create image, upload data (checksum is set), delete all locations, image goes to 'queued' status, can upload malicious data via the API in the normal way
- checksum can't be modified (although checksum is md5 until Rocky)
- can only do it with an image you own (or if you are admin)
- fix: don't allow the image location deletion if the result would be no locations

2. "Normal user can replace active image data if show_multiple_locations has been set to true"
https://bugs.launchpad.net/ossn/+bug/1549483
what: create image, upload data (checksum is set), add a new location pointing to malicious data, delete all non-malicious locations
- checksum can't be modified (although checksum is md5 until Rocky)
- can only do it with an image you own (or if you are admin)
- fix: OSSN-0065 recommends do not configure glance with show_multiple_locations=true

3. In Rocky (glance 17.0.0, Tagged on 2018-08-30 14:06:53 +0000)
- introduction of glance "multihash" ... like legacy "checksum", os_hash_algo/os_hash_value can't be modified, and the default algo is sha512
- if the "multihash" is checked on download, data substitution from Bug #1549483 will be revealed

4. In Rocky (glance 17.0.1, Tagged on 2020-03-19 12:26:00 +0000)
- https://docs.openstack.org/releasenotes/glance/rocky.html#relnotes-17-0-1-stable-rocky
- Known Issue: "The workaround is to continue to use the show_multiple_locations option in a dedicated “internal” Glance node that is not accessible to end users. We continue to recommend that image locations not be exposed to end users."

5. "Malicious image data modification can happen when using COW"
https://bugs.launchpad.net/glance/+bug/1990157 (this bug)
what: create an image, upload data ("multihash" is set), boot a server from the image, ask nova to create an image from the server. This image will not have "multihash" info set. Then do the attack from Bug #1549483, probably by uploading a malicious image to glance (to get the data into the backend); then add the location to the un-checksummed image and delete the original location from the un-checksummed image
- can't mitigate with a "multihash" check (because there isn't one)
- can only do it with an image you own (or if you are admin)

5. "Malicious image data modification can happen when using COW"
https://bugs.launchpad.net/glance/+bug/1990157 (this bug)
what: create an image, upload data ("multihash" is set), boot a server from the image, ask nova to create an image from the server.  This image will not have "multihash" info set.  Then do the attack from Bug #1549483, probably by uploading a malicious image to glance (to get the data into the backend); then add the location to the un-checksummed image and delete the original location from the un-checksummed image
- can't mitigate with a "multihash" check (because there isn't one)
- can only do it with an image you own (or if you are admin)