[OSSA 2012-011] CVE-2012-3361 not fully addressed

Bug #1031311 reported by Pádraig Brady on 2012-07-31
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Critical
Pádraig Brady
Essex
Critical
Pádraig Brady
OpenStack Security Advisory
Undecided
Thierry Carrez
nova (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

Unfortunately the patches released for bug 1015531, didn't consider permissions in the guest.

If there is a root only readable directory in the guest containing the dodgy symlinks, then they will not be detected by _join_and_check_path_within_fs() because it runs as the nova user.
Therefore the equivalent of this function needs to run as the root user.

Folsom patch attached.
Diablo & Essex versions would need readlink added to rootwrap

Related branches

CVE References

Pádraig Brady (p-draigbrady) wrote :
description: updated
Thierry Carrez (ttx) wrote :

Adding Vish and MarkMC since this /may/ delay 2012.1.2.

Mark McLoughlin (markmc) wrote :

Yes, since we do all file injection as root, we need to do the path canonicalization as root. Uggh.

I think it makes sense to delay 2012.1.2 - it seems wrong to do a release claiming it fixes CVE-2012-3361 while we know the fix is incomplete.

Patch looks good to me - though if you reverted the s/absolute_path/abs_path/ it make the straightforward nature of the change more obvious

Looks like 'readlink -m' has been around since 2004, so no concerns about its availability

Pádraig Brady (p-draigbrady) wrote :

folsom patch

Pádraig Brady (p-draigbrady) wrote :

essex patch

Pádraig Brady (p-draigbrady) wrote :

diablo patch.

Note this must be applied after https://review.openstack.org/#/c/9268/
which has been abondoned due to gating issues.

Note also that this requires users to update their nova sudoers
file to include 'readlink'

Thierry Carrez (ttx) on 2012-07-31
Changed in nova:
importance: High → Critical
status: New → Confirmed
Thierry Carrez (ttx) wrote :

Please confirm patches and approve proposed impact description. Will be published as an ERRATA to OSSA-2012-008 if it gets the same CVE, and as a separate advisory if it gets a new CVE...

Title: OSSA-2012-008 ERRATA: Incomplete fix
Impact: Critical
Reporter: Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions

Description:
Pádraig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting an instance based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.

Additional fixes needed:
...

Pádraig Brady (p-draigbrady) wrote :

Description in comment 7 looks good.

Thanks!

Steve Beattie (sbeattie) wrote :

As announcements went out for the incomplete fix (openstack OSSA-2012-008, Ubuntu USN 1501-1), MITRE will likely want a separate CVE issued for the complete fix, so that users can be assured that vendors have addressed both elements of the issue.

(As an example of how a similar issue was handled with php, see http://www.openwall.com/lists/oss-security/2012/05/09/6 ; specifically the handling of CVE-2012-2311 and CVE-2012-NEW-2, which later in the email thread was assigned as CVE-2012-2336.)

Thierry Carrez (ttx) wrote :

Thanks Steve. Adjusted title/description to match:

Title: Compute node filesystem injection/corruption
Impact: Critical
Reporter: Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions

Description:
Pádraig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting a server based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.

Mark McLoughlin (markmc) wrote :

Patches look good to me

I wondered why rootwrap didn't need updating in Folsom, but I see we have readlink in compute.filters already - might be good to add 'readlink -m' to the comment ... that'll help people realize that you didn't overlook rootwrap

Dan Prince (dan-prince) wrote :

Looks good to me too. Nice one.

Russell Bryant (russellb) wrote :

Patches and advisory look good to me, too.

Thierry Carrez (ttx) wrote :

Sent to downstream stakeholders.

Proposed public disclosure date/time:
*Tuesday August 7th, 1500UTC*

Thierry Carrez (ttx) wrote :

issue was assigned CVE-2012-3447

Thierry Carrez (ttx) wrote :

Adding a few more subscribers to help in coordinating disclosure.

Thierry Carrez (ttx) wrote :

Published patches, opened bugs

visibility: private → public
Thierry Carrez (ttx) on 2012-08-07
Changed in nova:
status: Confirmed → In Progress
Changed in nova:
assignee: nobody → Pádraig Brady (p-draigbrady)

Reviewed: https://review.openstack.org/10951
Committed: http://github.com/openstack/nova/commit/ce4b2e27be45a85b310237615c47eb53f37bb5f3
Submitter: Jenkins
Branch: master

commit ce4b2e27be45a85b310237615c47eb53f37bb5f3
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:05:35 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/10952
Committed: http://github.com/openstack/nova/commit/d9577ce9f266166a297488445b5b0c93c1ddb368
Submitter: Jenkins
Branch: stable/essex

commit d9577ce9f266166a297488445b5b0c93c1ddb368
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:05:35 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Reviewed: https://review.openstack.org/10953
Committed: http://github.com/openstack/nova/commit/ed89587d525e0214cb367aa4632df45903c6ac09
Submitter: Jenkins
Branch: stable/diablo

commit ed89587d525e0214cb367aa4632df45903c6ac09
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:34:19 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Note this requires adding the 'readlink' binary to the
    nova sudoers file.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Thierry Carrez (ttx) on 2012-08-16
Changed in nova:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Dave Walker (davewalker) on 2012-08-24
Changed in nova (Ubuntu):
status: New → Fix Released
Changed in nova (Ubuntu Precise):
status: New → Confirmed

Ubuntu 12.04 LTS was fixed in http://www.ubuntu.com/usn/usn-1545-1/

Changed in nova (Ubuntu Precise):
status: Confirmed → Fix Released

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Nova has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/10951
Stable review: https://review.openstack.org/10952

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Test coverage log.

tags: added: verification-done

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Thierry Carrez (ttx) on 2012-09-27
Changed in nova:
milestone: folsom-3 → 2012.2
Thierry Carrez (ttx) on 2013-06-07
summary: - CVE-2012-3361 not fully addressed
+ [OSSA 2012-011] CVE-2012-3361 not fully addressed
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
Sean Dague (sdague) on 2014-09-15
no longer affects: nova/diablo
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers