kolla

hypothetical security issue regarding rootwrap/privsep

Bug #1874298 reported by Radosław Piliszek on 2020-04-22

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla	Fix Released	High	Unassigned

Bug Description

In Kolla images, mostly source ones, there is a step that chowns /etc/<service> to <service>. This opens a possible attack vector if the affected service allows arbitrary writes under its user (due to some other security flaw in that particular service) which can be used to modify privsep/rootwrap config and allow the service to run any command as root which may be dangerous especially since these containers likely run in fully privileged mode.

Note all sources images are affected, and only some binary.

PoC for fix (very secret): https://review.opendev.org/722102

PS: This is where new engine would shine too, as this is now a bit tedious and error-prone to patch.

Revision history for this message

Radosław Piliszek (yoctozepto) wrote on 2020-04-23:

PoC passes, so it seems the correct fix is just to remove all chown calls on /etc

Mark Goddard (mgoddard) on 2020-06-24

Changed in kolla:
milestone:	10.0.0 → 10.0.1
milestone:	10.0.1 → 11.0.0

Mark Goddard (mgoddard) on 2021-01-13

Changed in kolla:
milestone:	11.0.0 → 11.1.0

Revision history for this message

Radosław Piliszek (yoctozepto) wrote on 2021-10-25:

Let's fix this one soon (hopeful yoctozepto).

Changed in kolla:
milestone:	11.1.0 → none

Radosław Piliszek (yoctozepto) on 2022-10-10

information type:

Private Security → Public Security

OpenStack Infra (hudson-openstack) on 2022-10-10

Changed in kolla:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-11: Fix merged to kolla (master)

Reviewed: https://review.opendev.org/c/openstack/kolla/+/722102
Committed: https://opendev.org/openstack/kolla/commit/2daf4331a648cc2df6982c1a6ec47a705e038255
Submitter: "Zuul (22348)"
Branch: master

commit 2daf4331a648cc2df6982c1a6ec47a705e038255
Author: Radosław Piliszek <email address hidden>
Date: Mon Aug 29 18:13:34 2022 +0000

Fix writable rootwrap/privsep config

    Fixes a hypothetical security issue related to privilege escalation via
    rootwrap/privsep. A potential vulnerable service could previously allow
    writes to its rootwrap/privsep config and thus allow for more commands
    to be run with root privileges via rootwrap/privsep. For a succesful
    attack, this would also require the service to allow to run arbitrary
    commands via rootwrap/privsep. Thus far, no such vulnerabilities have
    been reported and thus this fix is simply strengthening the container
    images against such an issue in the future.

Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a
Closes-Bug: #1874298

Changed in kolla:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-09: Fix included in openstack/kolla 15.0.0.0rc1

This issue was fixed in the openstack/kolla 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.