[OSSA 2013-037] DoS attack via setting os_type in snapshots (CVE-2013-6437)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
High
|
moorryan | ||
| Grizzly |
Fix Released
|
High
|
moorryan | ||
| Havana |
Fix Released
|
High
|
moorryan | ||
| OpenStack Security Advisory |
Fix Released
|
High
|
Thierry Carrez | ||
Bug Description
If the os_type metadata is set of an image, the ephemeral disk backing file for that image will be named ephemeral_
Because the user can change os_type they can use this to create new ephemeral backing files.
Nova image cache management does not include deleting ephemeral backing files (presumably because they are expected to be a small, stable set.
Hence a user can fill the disk with ephemeral backing files via the following:
1) Spawn a instance
2) Create a snapshot from it, delete the original instance
3) In a loop:
generate a random os_type
set os_type to the snapshot
spawn and instance from it, and then delete the instance
Every iteration will generate an ephemeral backing file on a compute host. With a stacking scheduling policy there is a good chance of hitting the same host repeatedly until its disk is full.
Suggested mitigation
Only use “os_type” in the ephemeral file name if there is a specific mkfs command defined, otherwise use “default” (Currently for undefined os-types it will use the default mkfs command, but still uses os_type in the name.
CVE References
| description: | updated |
| Changed in ossa: | |
| status: | Incomplete → Confirmed |
| Changed in ossa: | |
| importance: | Undecided → High |
| Changed in ossa: | |
| assignee: | nobody → moorryan (moorryan) |
| status: | Confirmed → In Progress |
| Changed in nova: | |
| status: | New → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → moorryan (moorryan) |
| Changed in nova: | |
| milestone: | none → icehouse-2 |
| Changed in nova: | |
| status: | Fix Committed → Fix Released |
| Changed in nova: | |
| milestone: | icehouse-2 → 2014.1 |

Sounds legit