std.ssh action can be used to explore executor's filesystem

Bug #1783708 reported by Pierre Gaxatte on 2018-07-26
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mistral
High
Adriano Petrich

Bug Description

Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem:

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/notthere"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/notthere'}']\n Failed to execute ssh cmd
'ls' on [u'127.0.0.1']\nException: [Errno 2] No such file or directory: u'/notthere'"}

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/passwd"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/passwd'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}

This can help detect the nature of the underlying system:

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/debian_version"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/debian_version'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}

-> Hello Debian based system!

This behavior is not present in pike (haven't tested versions in between pike and master) because it does not allow absolute path.

CVE References

Pierre Gaxatte (pierre-gaxatte) wrote :

I only see two options out of this problem:

1) Remove the possibility to use absolute path but this might break stuff

2) Put a generic error message for both (file does not exist or file exists but is not a valid key) that does not disclose the existence of the file. Something like "Cannot use private key [...]"

Dougal Matthews (d0ugal) wrote :

We use paramiko for SSH, I wonder if a more recent version changed the error, exposing more information.

Changed in mistral:
status: New → Confirmed
importance: Undecided → High
milestone: none → rocky-3
Pierre Gaxatte (pierre-gaxatte) wrote :

The same error will probably happen in an older version of paramiko but this is less a problem since the path cannot escape /var/lib/mistral

Dougal Matthews (d0ugal) on 2018-08-08
Changed in mistral:
milestone: rocky-3 → rocky-rc1
Dougal Matthews (d0ugal) on 2018-08-08
Changed in mistral:
milestone: rocky-rc1 → rocky-rc2
Dougal Matthews (d0ugal) on 2018-08-31
Changed in mistral:
milestone: rocky-rc2 → stein-1
Adriano Petrich (apetrich) wrote :

Pike has
paramiko>=2.0 # LGPLv2.1+

Master has
paramiko>=2.0.0 # LGPLv2.1+

So I don't think it is paramiko version related. I think it is related to the patch that passes on the result to the cli. We used to answer only "App: 500 failed" and now we are returning the full error message.

Adriano Petrich (apetrich) wrote :

I think the best solution is to return generic failed messages for std.ssh

Changed in mistral:
assignee: nobody → Adriano Petrich (apetrich)
Dougal Matthews (d0ugal) on 2018-09-03
information type: Private Security → Public Security
Changed in mistral:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/599363
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=c93b45a61f49d4633f76d8e117cd89063e7759c4
Submitter: Zuul
Branch: master

commit c93b45a61f49d4633f76d8e117cd89063e7759c4
Author: apetrich <email address hidden>
Date: Mon Sep 3 14:00:22 2018 +0200

    Remove extra information from std.ssh action

    The ssh error message can lead to information leak.
    Removing the extra ssh message effects only the CLI call,
    the full message is still being logged

    Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
    Closes-Bug: 1783708

Changed in mistral:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/601214
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=2309e5265a1d5f28480ae872817b5de05f66e83c
Submitter: Zuul
Branch: stable/rocky

commit 2309e5265a1d5f28480ae872817b5de05f66e83c
Author: apetrich <email address hidden>
Date: Mon Sep 3 14:00:22 2018 +0200

    Remove extra information from std.ssh action

    The ssh error message can lead to information leak.
    Removing the extra ssh message effects only the CLI call,
    the full message is still being logged

    Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
    Closes-Bug: 1783708
    (cherry picked from commit c93b45a61f49d4633f76d8e117cd89063e7759c4)

tags: added: in-stable-rocky

This issue was fixed in the openstack/mistral 7.0.1 release.

James Hebden (jhebden) wrote :

CVE-2018-16849 has been requested and assigned to this issue for tracking purposes.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers