Mistral

std.ssh action can be used to explore executor's filesystem

Bug #1783708 reported by Pierre Gaxatte
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mistral
Fix Released
High
Adriano Petrich
Mistral stein-1

Bug Description

Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem:

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/notthere"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/notthere'}']\n Failed to execute ssh cmd
'ls' on [u'127.0.0.1']\nException: [Errno 2] No such file or directory: u'/notthere'"}

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/passwd"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/passwd'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}

This can help detect the nature of the underlying system:

mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/debian_version"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/debian_version'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}

-> Hello Debian based system!

This behavior is not present in pike (haven't tested versions in between pike and master) because it does not allow absolute path.

CVE References

Revision history for this message
Pierre Gaxatte (pierre-gaxatte) wrote :

I only see two options out of this problem:

1) Remove the possibility to use absolute path but this might break stuff

2) Put a generic error message for both (file does not exist or file exists but is not a valid key) that does not disclose the existence of the file. Something like "Cannot use private key [...]"

Revision history for this message
Dougal Matthews (d0ugal) wrote :

We use paramiko for SSH, I wonder if a more recent version changed the error, exposing more information.

Changed in mistral:
status: New → Confirmed
importance: Undecided → High
milestone: none → rocky-3
Revision history for this message
Pierre Gaxatte (pierre-gaxatte) wrote :

The same error will probably happen in an older version of paramiko but this is less a problem since the path cannot escape /var/lib/mistral

Dougal Matthews (d0ugal)
Changed in mistral:
milestone: rocky-3 → rocky-rc1
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: rocky-rc1 → rocky-rc2
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: rocky-rc2 → stein-1
Revision history for this message
Adriano Petrich (apetrich) wrote :

Pike has
paramiko>=2.0 # LGPLv2.1+

Master has
paramiko>=2.0.0 # LGPLv2.1+

So I don't think it is paramiko version related. I think it is related to the patch that passes on the result to the cli. We used to answer only "App: 500 failed" and now we are returning the full error message.

Revision history for this message
Adriano Petrich (apetrich) wrote :

I think the best solution is to return generic failed messages for std.ssh

Changed in mistral:
assignee: nobody → Adriano Petrich (apetrich)
Dougal Matthews (d0ugal)
information type: Private Security → Public Security
OpenStack Infra (hudson-openstack)
Changed in mistral:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to mistral (master)

Reviewed: https://review.openstack.org/599363
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=c93b45a61f49d4633f76d8e117cd89063e7759c4
Submitter: Zuul
Branch: master

commit c93b45a61f49d4633f76d8e117cd89063e7759c4
Author: apetrich <email address hidden>
Date: Mon Sep 3 14:00:22 2018 +0200

    Remove extra information from std.ssh action

    The ssh error message can lead to information leak.
    Removing the extra ssh message effects only the CLI call,
    the full message is still being logged

    Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
    Closes-Bug: 1783708

Changed in mistral:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to mistral (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/601214

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to mistral (stable/rocky)

Reviewed: https://review.openstack.org/601214
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=2309e5265a1d5f28480ae872817b5de05f66e83c
Submitter: Zuul
Branch: stable/rocky

commit 2309e5265a1d5f28480ae872817b5de05f66e83c
Author: apetrich <email address hidden>
Date: Mon Sep 3 14:00:22 2018 +0200

    Remove extra information from std.ssh action

    The ssh error message can lead to information leak.
    Removing the extra ssh message effects only the CLI call,
    the full message is still being logged

    Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
    Closes-Bug: 1783708
    (cherry picked from commit c93b45a61f49d4633f76d8e117cd89063e7759c4)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/mistral 7.0.1

This issue was fixed in the openstack/mistral 7.0.1 release.

Revision history for this message
James Hebden (ec0) wrote :

CVE-2018-16849 has been requested and assigned to this issue for tracking purposes.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to mistral (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/620084

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to mistral (stable/queens)

Reviewed: https://review.openstack.org/620084
Committed: https://git.openstack.org/cgit/openstack/mistral/commit/?id=32e8b18959be1b6a1853c9e8430598514bea9e4e
Submitter: Zuul
Branch: stable/queens

commit 32e8b18959be1b6a1853c9e8430598514bea9e4e
Author: apetrich <email address hidden>
Date: Mon Sep 3 14:00:22 2018 +0200

    Remove extra information from std.ssh action

    The ssh error message can lead to information leak.
    Removing the extra ssh message effects only the CLI call,
    the full message is still being logged

    Change-Id: I0b28e1cb17d4ce3ae711a25b6eaffb4ebf00ccd6
    Closes-Bug: 1783708
    (cherry picked from commit c93b45a61f49d4633f76d8e117cd89063e7759c4)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/mistral 8.0.0.0b1

This issue was fixed in the openstack/mistral 8.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/mistral queens-eol

This issue was fixed in the openstack/mistral queens-eol release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.