Murano

Bug #2048114
Comment #51

Comment 51 for bug 2048114

Revision history for this message

kirualawliet (kirualawliet) wrote on 2024-03-16: Re: [Bug 2048114] Re: Unsafe Environment Handling in MuranoPL

#51

Sorry for being so late to notice this review request. My bad, I made a
mistake earlier in the bug report mail by mi
sspelling my teammate's name. Can you please change 'edwardpeng' to
'Zhiniang Peng (@edwardzpeng) in OSSN-0093 and any other references'?

On Fri, 15 Mar 2024 at 01:49, Jeremy Stanley <email address hidden>
wrote:

> I've proposed a WIP update for OSSN-0093 with details about this bug now
> that it's public. Please review at your earliest opportunity as I'm
> hoping to update the canonical copy on the wiki and send it to mailing
> lists later today: https://review.opendev.org/c/openstack/security-
> doc/+/913239
> <https://review.opendev.org/c/openstack/security-doc/+/913239>
>
> ** Summary changed:
>
> - OpenStack Murano Component Information Leakage
> + Unsafe Environment Handling in MuranoPL
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
> Unsafe Environment Handling in MuranoPL
>
> Status in Murano:
> New
> Status in OpenStack Security Advisory:
> Won't Fix
> Status in OpenStack Security Notes:
> Confirmed
> Status in YAQL:
> Fix Released
>
> Bug description:
> Members of the VMT received the following report by E-mail from
> "kirualawliet l":
>
> Title: OpenStack Murano Component Information Leakage
>
> Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
> Research Team
>
> Products: OpenStack Murano Component
>
> Affects: All versions of Murano Component
>
> Description:
>
> The Sangfor Security Research Team has identified a critical security
> vulnerability in the Murano component of OpenStack. This vulnerability
> allows ordinary users capable of importing and deploying app packages
> to access sensitive information within OpenStack services.
> Specifically, through this exploit, unauthorized users can obtain
> Murano service account credentials, potentially escalating their
> privileges to an administrator level. Subsequently, unauthorized users
> can gain complete control over various resources, including user
> roles, hosts, and networks.
>
> The vulnerability stems from the Murano service's reliance on
> MuranoPL, an extension of the YAQL language. The YAQL library includes
> a 'format' function that mirrors Python's 'str.format' method,
> enabling attribute access.
>
> ```python
> # code snippet from yaql-2.0.0\standard_library\strings.py:569
> @specs.parameter('__format_string', yaqltypes.String())
> @specs.extension_method
> def format_(__format_string, *args, **kwargs):
> ...
> return __format_string.format(*args, **kwargs)
> ```
>
> An example of this vulnerability includes:
>
> ```
> >>> secret_key = "abcd1234"
> >>> class Test:
> ... def __init__(self):
> ... pass
> ...
> >>> t = Test()
> >>> # Exploiting the vulnerability to expose sensitive data:
> >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
> >>> formatted_output = malicious_format_string.format(t)
> >>> print(formatted_output) # This line reveals the value of secret_key
> 'abcd1234'
> ```
>
> This exploit allows access to Murano service's oslo configuration
> storage, thereby exposing critical Murano service account credentials,
> granting unauthorized users administrative privileges.
>
> We believe no deployment mode is immune to this vulnerability. To
> ensure system security, we recommend immediate attention and
> remediation of this vulnerability within the OpenStack Murano
> component. Our team stands ready to offer assistance and collaboration
> in addressing and resolving this issue promptly.
>
> Thank you for your prompt attention to this matter.
>
> Sincerely,
> kirualawliet
> Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>

On Fri, 15 Mar 2024 at 01:49, Jeremy Stanley <2048114@bugs.launchpad.net>
wrote:

> I've proposed a WIP update for OSSN-0093 with details about this bug now
> that it's public. Please review at your earliest opportunity as I'm
> hoping to update the canonical copy on the wiki and send it to mailing
> lists later today: https://review.opendev.org/c/openstack/security-
> doc/+/913239
> <https://review.opendev.org/c/openstack/security-doc/+/913239>
>
> ** Summary changed:
>
> - OpenStack Murano Component Information Leakage
> + Unsafe Environment Handling in MuranoPL
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
>   Unsafe Environment Handling in MuranoPL
>
> Status in Murano:
>   New
> Status in OpenStack Security Advisory:
>   Won't Fix
> Status in OpenStack Security Notes:
>   Confirmed
> Status in YAQL:
>   Fix Released
>
> Bug description:
>   Members of the VMT received the following report by E-mail from
>   "kirualawliet l":
>
>   Title: OpenStack Murano Component Information Leakage
>
>   Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
>   Research Team
>
>   Products: OpenStack Murano Component
>
>   Affects: All versions of Murano Component
>
>   Description:
>
>   The Sangfor Security Research Team has identified a critical security
>   vulnerability in the Murano component of OpenStack. This vulnerability
>   allows ordinary users capable of importing and deploying app packages
>   to access sensitive information within OpenStack services.
>   Specifically, through this exploit, unauthorized users can obtain
>   Murano service account credentials, potentially escalating their
>   privileges to an administrator level. Subsequently, unauthorized users
>   can gain complete control over various resources, including user
>   roles, hosts, and networks.
>
>   The vulnerability stems from the Murano service's reliance on
>   MuranoPL, an extension of the YAQL language. The YAQL library includes
>   a 'format' function that mirrors Python's 'str.format' method,
>   enabling attribute access.
>
>   ```python
>   # code snippet from yaql-2.0.0\standard_library\strings.py:569
>   @specs.parameter('__format_string', yaqltypes.String())
>   @specs.extension_method
>   def format_(__format_string, *args, **kwargs):
>       ...
>       return __format_string.format(*args, **kwargs)
>   ```
>
>   An example of this vulnerability includes:
>
>   ```
>   >>> secret_key = "abcd1234"
>   >>> class Test:
>   ...     def __init__(self):
>   ...             pass
>   ...
>   >>> t = Test()
>   >>> # Exploiting the vulnerability to expose sensitive data:
>   >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
>   >>> formatted_output = malicious_format_string.format(t)
>   >>> print(formatted_output)  # This line reveals the value of secret_key
>   'abcd1234'
>   ```
>
>   This exploit allows access to Murano service's oslo configuration
>   storage, thereby exposing critical Murano service account credentials,
>   granting unauthorized users administrative privileges.
>
>   We believe no deployment mode is immune to this vulnerability. To
>   ensure system security, we recommend immediate attention and
>   remediation of this vulnerability within the OpenStack Murano
>   component. Our team stands ready to offer assistance and collaboration
>   in addressing and resolving this issue promptly.
>
>   Thank you for your prompt attention to this matter.
>
>   Sincerely,
>   kirualawliet
>   Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>