[OSSA-2024-005] Authorization bypassed when setting tags on networks (CVE-2024-53916)

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

The tag policy enforcer implemented in https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd is incorrect. The "target" (that is the parent resource hosting the tags) is incorrectly formatted in [1].

Tomorrow morning I'll propose a fix (without referring to this bug until is disclosed).

[1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py#102

I've pushed [1]. Please check that patch locally and provide some feedback if possible. Once confirmed, I'll add the bug reference to this patch. I will be needed to backport it up to 2023.2, according to [2].

[1]https://review.opendev.org/c/openstack/neutron/+/935883
[2]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd

Hey Rodolfo,

According to the VMT Report Taxonomy ( https://security.openstack.org/vmt-process.html#report-taxonomy ) this seems to be a Class A. As long as you agree, I'll request a CVE number assignment.

-Jay

Yes, I agree with the taxonomy classification. This fix must be in master and up to 2023.2.

When would it be possible to define the bug in the U/S patch [1]?

[1]https://review.opendev.org/c/openstack/neutron/+/935883

If it's fixed (or the fix is in process), that means we just need to coordinate disclosure. I've requested a CVE number from Mitre, and will draft an OSSA notice by no-later-than EOD Monday. Once we get a CVE number, we can coordinate the merge of the patch and public notice.

@Rodolfo, once choice we have as well: we can change this bug to public security if it's not severe enough to be worth embargoing. Then we can still publish an OSSA + CVE once the CVE number is assigned to spur people to upgrade. The choice is really up to the project team, and if my understanding -- that tags are generally just descriptive and unlikely to be harmful -- is correct, I'd agree with such a decision.

More to the point, working lower-severity issues in public means less effort spent (private embargoes are inconvenient and should only be used when the risks warrant that additional level of secrecy), and we can get the fixes out to everyone more quickly because we don't need additional delays for supplying advance copies of patches/backports to downstream stakeholders.

Usually tags are descriptive. However, in this particular case they were used for billing. In any case, I would release the embargo and continue the process of merging the fix and the backports; then we'll release new versions with the patch.

Per the previous comments and the already-publicly-posted draft fix; this has been updated to public security. I will be proposing an OSSA to the public OSSA repository shortly. Let me know when the fix has merged in all the appropriate places and we can publish everything and update the CVE.

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/ossa/+/936200

Hello Rodolfo, apologies for the late response (I've been off work since Friday), but I tested your patch now, and it does seem to work correctly:

ubuntu@devstack-tore:/opt/stack/neutron$ base64 -d ~/fb75d3c.diff.base64 | patch -p1
patching file neutron/extensions/tagging.py
patching file neutron/objects/subnet.py
patching file neutron/tests/unit/extensions/test_tagging.py

ubuntu@devstack-tore:~$ sudo systemctl restart <email address hidden>

ubuntu@devstack-tore:~$ openstack network set --tag pwnd4 shared
ForbiddenException: 403: Client Error for url: http://10.255.255.135:9696/networking/v2.0/networks/a75396a5-dc52-43a1-ba9d-ab7ff9fe2d6c/tags, rule:update_networks_tags is disallowed by policy

The demo user is still permitted to set tags on the "private" network (as expected).

I am not familiar enough with the Neutron code base to review the actual code changes and their quality in any useful way, I'm afraid.

Tore

Fix proposed to branch: stable/2024.2
Review: https://review.opendev.org/c/openstack/neutron/+/936843

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/neutron/+/936846

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/936849

Reviewed: https://review.opendev.org/c/openstack/ossa/+/936200
Committed: https://opendev.org/openstack/ossa/commit/a1e1e2294c1a9365f5b02048a6f837c35458975f
Submitter: "Zuul (22348)"
Branch: master

commit a1e1e2294c1a9365f5b02048a6f837c35458975f
Author: Jay Faulkner <email address hidden>
Date: Mon Nov 25 12:14:27 2024 -0800

    Add OSSA-2024-005 (CVE-2024-53916)

    Closes-bug: #2088986
    Change-Id: Ic107e4612e4803021c464b74e263dd774e7ee2e6

I have emailed openstack-announce, and oss-security mailing lists. Additionally I have notified CVE that the fix is complete and requested they update the description with our full details from the OSSA.

Reviewed: https://review.opendev.org/c/openstack/neutron/+/935883
Committed: https://opendev.org/openstack/neutron/commit/fb75d3c4f185bb082f69c121090382d9eb803b94
Submitter: "Zuul (22348)"
Branch: master

commit fb75d3c4f185bb082f69c121090382d9eb803b94
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Nov 21 11:55:37 2024 +0000

    Fix the tagging policy engine

    The service tagging policy engine should consider the parent resource or
    the upper parent resource project ID when checking the policies against
    the caller project ID.

    Before this patch, as introduced in [1], the target was incorrectly
    populated with the caller project ID instead of using the resource ID.

    [1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py

    OSSA-2024-005 CVE-2024-53916

    Closes-Bug: #2088986
    Change-Id: Id7d0c8e7ba37993b1084519d05e7e2eac095b81b

Just noticed something odd on https://security.openstack.org/ossa/OSSA-2024-005.html. Under Credits it says «(C, V, E, -, 2, 0, 2, 4, -, 5, 3, 9, 1, 6)» which was probably meant to say «CVE-2024-53916».

https://security.openstack.org/ossa/OSSA-2024-004.html has the same problem, so I guess it isn't something wrong with the YAML file, but rather the web site rendering.

I just wanted to check if process was followed properly on this. We got notified about this CVE [1] on the 24th or 25th of November way before announcements were out.

Was CVE-2024-53916 suppose to contain the information before the announcements or should it have been a blank CVE description until announcements were done?

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-53916

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936843
Committed: https://opendev.org/openstack/neutron/commit/93e86fa84175b525f5b1dc5df1651a44d60219ba
Submitter: "Zuul (22348)"
Branch: stable/2024.2

commit 93e86fa84175b525f5b1dc5df1651a44d60219ba
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Nov 21 11:55:37 2024 +0000

    Fix the tagging policy engine

    The service tagging policy engine should consider the parent resource or
    the upper parent resource project ID when checking the policies against
    the caller project ID.

    Before this patch, as introduced in [1], the target was incorrectly
    populated with the caller project ID instead of using the resource ID.

    [1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py

    OSSA-2024-005 CVE-2024-53916

    Conflitcs:
        neutron/extensions/tagging.py

    Closes-Bug: #2088986
    Change-Id: Id7d0c8e7ba37993b1084519d05e7e2eac095b81b
    (cherry picked from commit fb75d3c4f185bb082f69c121090382d9eb803b94)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936846
Committed: https://opendev.org/openstack/neutron/commit/3510fc4b723a86af0a3fad6933c26cb4f1cae518
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 3510fc4b723a86af0a3fad6933c26cb4f1cae518
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Nov 21 11:55:37 2024 +0000

    Fix the tagging policy engine

    The service tagging policy engine should consider the parent resource or
    the upper parent resource project ID when checking the policies against
    the caller project ID.

    Before this patch, as introduced in [1], the target was incorrectly
    populated with the caller project ID instead of using the resource ID.

    [1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py

    OSSA-2024-005 CVE-2024-53916

    Conflitcs:
        neutron/extensions/tagging.py

    Closes-Bug: #2088986
    Change-Id: Id7d0c8e7ba37993b1084519d05e7e2eac095b81b
    (cherry picked from commit fb75d3c4f185bb082f69c121090382d9eb803b94)
    (cherry picked from commit 93e86fa84175b525f5b1dc5df1651a44d60219ba)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936849
Committed: https://opendev.org/openstack/neutron/commit/e697e1a0eafb1daac504c506b3ad2ed37dda03e7
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit e697e1a0eafb1daac504c506b3ad2ed37dda03e7
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Thu Nov 21 11:55:37 2024 +0000

    Fix the tagging policy engine

    The service tagging policy engine should consider the parent resource or
    the upper parent resource project ID when checking the policies against
    the caller project ID.

    Before this patch, as introduced in [1], the target was incorrectly
    populated with the caller project ID instead of using the resource ID.

    [1]https://review.opendev.org/c/openstack/neutron/+/896509/13/neutron/extensions/tagging.py

    OSSA-2024-005 CVE-2024-53916

    Conflitcs:
        neutron/extensions/tagging.py

    Closes-Bug: #2088986
    Change-Id: Id7d0c8e7ba37993b1084519d05e7e2eac095b81b
    (cherry picked from commit fb75d3c4f185bb082f69c121090382d9eb803b94)
    (cherry picked from commit 93e86fa84175b525f5b1dc5df1651a44d60219ba)
    (cherry picked from commit 3510fc4b723a86af0a3fad6933c26cb4f1cae518)

Tobias: See comments 7-10 on this bug, but essentially we opted to switch to our public workflow due to the low degree of risk assessed by Neutron representatives, rather than unnecessarily incur the additional resource costs of our private workflow. Where possible, OpenStack prefers to discuss and fix bugs in public, reserving costly embargoes for truly severe vulnerabilities where the additional effort is warranted.

Tore: Thanks for spotting the credits formatting issue, this was missed in review but should be fixed once https://review.opendev.org/c/openstack/ossa/+/937028 merges.

https://seclists.org/oss-sec/2024/q4/141 mentions that affected are "Neutron: >=23.0.0 <23.2.1, >=24.0.0 <24.0.2, >=25.0.0 <25.0.1". Is the minimum given (23.0.0) the version where the issue was actually introduced, or is this simply the lowest supported version that was examined?

In other words, if one is running an older version, is it known to be unaffected, or is it unknown?

Olaf: Comment #2 indicates the bug was introduced when the policy enforcer feature was added commit f9b91289a5c2948429e69e1b58098cec846fba99 on neutron's master branch first included in the 24.0.0.0b1 tag (a beta-test milestone for the 24.0.0 release), but was also backported into the stable/2023.2 branch as commit 11cfa25d1386618c15a01977e004a7f5e0957944 included in the 23.2.0 tag there.

I guess technically the lower-bound could have been listed as >=23.2.0, but >=23.0.0 conservatively covers that. If anyone feels strongly that correcting the affected lower bound up to start at 23.2.0 would be helpful, we can update the version published on security.openstack.org, and optionally circulate an errata announcement if deemed an important clarification.

Hello:

The issue reported here was released in the following versions:
* 2023.2: 23.2.0
* 2024.1: 24.0.0.0b1 and newer versions: 24.0.0.0rc1, 24.0.0.0rc2, 24.0.0 and 24.0.1
* 2024.2: 25.0.0.0b1 and newer versions: 25.0.0.0rc1, 25.0.0.0rc2, 25.0.0
* 2025.1: 26.0.0.0b1, still in development as is master branch.

Regards.

I've proposed the following new releases:
* 2023.2: https://review.opendev.org/c/openstack/releases/+/937113
* 2024.1: https://review.opendev.org/c/openstack/releases/+/937114
* 2024.2: https://review.opendev.org/c/openstack/releases/+/937115

This issue was fixed in the openstack/neutron 23.3.0 Bobcat release.

This issue was fixed in the openstack/neutron 25.1.0 Dalmatian release.

This issue was fixed in the openstack/neutron 24.1.0 Caracal release.

This issue was fixed in the openstack/neutron 26.0.0.0rc1 Epoxy release candidate.