time-of-check to time-of-use (TOCTOU) attack

Bug #2047690 reported by lujiefsi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Undecided
lujiefsi

Bug Description

At https://github.com/openstack/magnum/blob/537e69aeb8df7af480e6af11a98687179d4dd89c/magnum/conductor/handlers/common/cert_manager.py#L185
, we first write ca_file,key_file cert_file , then we chmod mode them.

```
 ca_file = open(cached_ca_file, "w+")
            ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
            ca_file.flush()

            key_file = open(cached_key_file, "w+")
            key_file.write(encodeutils.safe_decode(
                magnum_cert.get_decrypted_private_key()))
            key_file.flush()

            cert_file = open(cached_cert_file, "w+")
            cert_file.write(
                encodeutils.safe_decode(magnum_cert.get_certificate()))
            cert_file.flush()

            os.chmod(cached_ca_file, 0o600)
            os.chmod(cached_key_file, 0o600)
            os.chmod(cached_cert_file, 0o600)

```

When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.

Revision history for this message
lujiefsi (lujiefsi) wrote (last edit ):
lujiefsi (lujiefsi)
description: updated
lujiefsi (lujiefsi)
summary: - wrong order between write and chmod
+ time-of-check to time-of-use (TOCTOU) attack
lujiefsi (lujiefsi)
description: updated
lujiefsi (lujiefsi)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/magnum/+/906108

Changed in magnum:
status: New → In Progress
lujiefsi (lujiefsi)
Changed in magnum:
assignee: nobody → lujiefsi (lujiefsi)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/906108
Committed: https://opendev.org/openstack/magnum/commit/cb71d19382eef6bea273075a3287a952c40f8a3b
Submitter: "Zuul (22348)"
Branch: master

commit cb71d19382eef6bea273075a3287a952c40f8a3b
Author: lujie <email address hidden>
Date: Fri Jan 19 21:23:04 2024 +0800

    Move the chmod function before the write and flush functions to prevent sensitive information leakage.

    Closes-Bug: #2047690
    Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/magnum/+/907302

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/magnum/+/907303

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/magnum/+/907304

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/magnum/+/907305

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/907302
Committed: https://opendev.org/openstack/magnum/commit/272fd686d8c8bf5954e9e7d3bc991ff27e46184d
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 272fd686d8c8bf5954e9e7d3bc991ff27e46184d
Author: lujie <email address hidden>
Date: Fri Jan 19 21:23:04 2024 +0800

    Move the chmod function before the write and flush functions to prevent sensitive information leakage.

    Closes-Bug: #2047690
    Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844
    (cherry picked from commit cb71d19382eef6bea273075a3287a952c40f8a3b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/907303
Committed: https://opendev.org/openstack/magnum/commit/883b40b5b0ecfc5f78758143c0d3c754458f12b7
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 883b40b5b0ecfc5f78758143c0d3c754458f12b7
Author: lujie <email address hidden>
Date: Fri Jan 19 21:23:04 2024 +0800

    Move the chmod function before the write and flush functions to prevent sensitive information leakage.

    Closes-Bug: #2047690
    Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844
    (cherry picked from commit cb71d19382eef6bea273075a3287a952c40f8a3b)
    (cherry picked from commit 272fd686d8c8bf5954e9e7d3bc991ff27e46184d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/907304
Committed: https://opendev.org/openstack/magnum/commit/e79907c521149872c1b495355a3a7b3a0c7e3479
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e79907c521149872c1b495355a3a7b3a0c7e3479
Author: lujie <email address hidden>
Date: Fri Jan 19 21:23:04 2024 +0800

    Move the chmod function before the write and flush functions to prevent sensitive information leakage.

    Closes-Bug: #2047690
    Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844
    (cherry picked from commit cb71d19382eef6bea273075a3287a952c40f8a3b)
    (cherry picked from commit 272fd686d8c8bf5954e9e7d3bc991ff27e46184d)
    (cherry picked from commit 883b40b5b0ecfc5f78758143c0d3c754458f12b7)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/907305
Committed: https://opendev.org/openstack/magnum/commit/312aa6a86ac8e62f6ed4f1e9473fdabbbb7a4b1e
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 312aa6a86ac8e62f6ed4f1e9473fdabbbb7a4b1e
Author: lujie <email address hidden>
Date: Fri Jan 19 21:23:04 2024 +0800

    Move the chmod function before the write and flush functions to prevent sensitive information leakage.

    Closes-Bug: #2047690
    Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844
    (cherry picked from commit cb71d19382eef6bea273075a3287a952c40f8a3b)
    (cherry picked from commit 272fd686d8c8bf5954e9e7d3bc991ff27e46184d)
    (cherry picked from commit 883b40b5b0ecfc5f78758143c0d3c754458f12b7)
    (cherry picked from commit e79907c521149872c1b495355a3a7b3a0c7e3479)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 16.0.2

This issue was fixed in the openstack/magnum 16.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 17.0.2

This issue was fixed in the openstack/magnum 17.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 14.1.2

This issue was fixed in the openstack/magnum 14.1.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 15.0.2

This issue was fixed in the openstack/magnum 15.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 18.0.0.0rc1

This issue was fixed in the openstack/magnum 18.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.