Manila share existence detection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Goutham Pacha Ravi |
Bug Description
Intro
-----
While performing a penetration test on a new OpenStack install of version Train, we found an issue that could lead to an information disclosure.
Description
-----------
In the test situation we had two, separate, projects, each with their own user. Users were only authorised for their own project, not for the other's project.
After creating a Manila share in project A by user A, we were able to check the existence of that share with user B by issuing the manila show <ID> command. The share cannot be manipulated or deleted.
Apparently, there is an authorisation check on the action but the error message makes it possible to determine the existence of a share.
Precondition
------------
- Logged in user (user B)
Discovered on October 8, 2020 by Arjen Zijlstra (<email address hidden>) and Arthur Donkers (arthur@1secure.nl)
Changed in manila: | |
milestone: | wallaby-3 → wallaby-rc1 |
Changed in manila: | |
milestone: | xena-1 → xena-2 |
Changed in manila: | |
milestone: | xena-2 → yoga-1 |
Changed in manila: | |
milestone: | yoga-1 → yoga-2 |
Changed in manila: | |
milestone: | yoga-2 → zed-1 |
Changed in manila: | |
milestone: | zed-1 → zed-3 |
Would this detection require guessing or somehow stealing a UUID?