[OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749)

Bug #1516765 reported by Matt Riedemann on 2015-11-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Matt Riedemann
Juno
Undecided
Unassigned
Kilo
High
Tony Breeds
Liberty
High
Matt Riedemann
Mitaka
High
Matt Riedemann
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

This code dumps the connection_info dict into the StorageError message:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L85-L87

As can be seen a few lines later, auth_password can be in that dict:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L96

So the password would be leaked into the error message that's raised up. This could eventually get back to the logs or a user if not handled properly.

CVE References

Matt Riedemann (mriedem) wrote :

See related bug 1321785 for obfuscating the block device mapping connection_info dict.

Matt Riedemann (mriedem) wrote :

Confirmed that the StorageError in the volume_utils code would get raised up through the attach_volume method in the virt driver and that would be logged here:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/block_device.py#L259

Fix proposed to branch: master
Review: https://review.openstack.org/245987

Changed in nova:
status: Confirmed → In Progress
Matt Riedemann (mriedem) on 2015-11-16
tags: added: kilo-backport-potential liberty-backport-potential
tags: added: juno-backport-potential

Just to make sure, the exception will be logged without DEBUG mode right ?

Changed in ossa:
status: New → Confirmed

Reviewed: https://review.openstack.org/245987
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8b289237ed6d53738c22878decf0c429301cf3d0
Submitter: Jenkins
Branch: master

commit 8b289237ed6d53738c22878decf0c429301cf3d0
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765

Changed in nova:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/247825
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cf197ec2d682fb4da777df2291ca7ef101f73b77
Submitter: Jenkins
Branch: stable/liberty

commit cf197ec2d682fb4da777df2291ca7ef101f73b77
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765
    (cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)

Alan Pevec (apevec) on 2015-11-24
tags: removed: juno-backport-potential

This issue was fixed in the openstack/nova 13.0.0.0b1 development milestone.

Changed in nova:
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/249239
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ef1ccdaca9512b88878155f7d8c2c77853d91252
Submitter: Jenkins
Branch: stable/kilo

commit ef1ccdaca9512b88878155f7d8c2c77853d91252
Author: Matt Riedemann <email address hidden>
Date: Mon Nov 16 13:11:09 2015 -0800

    xen: mask passwords in volume connection_data dict

    The connection_data dict can have credentials in it, so we need to scrub
    those before putting the stringified dict into the StorageError message
    and raising that up and when logging the dict.

    Note that strutils.mask_password converts the dict to a string using
    six.text_type so we don't have to do that conversion first.

    SecurityImpact

    Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
    Closes-Bug: #1516765
    (cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)
    (cherry picked from commit cf197ec2d682fb4da777df2291ca7ef101f73b77)

Does this seem like a reasonable / correct impact description for this:

Title: Potential Xen connection password leak via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Mat Riedemann from IBM reported a information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials which are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova setups using the Xen backend are affected
by this flaw.

This is looking good to me Tony, thanks!
Though, the title could be a bit less dramatic if it also mentions "leak in log".

Matt Riedemann (mriedem) wrote :

Spelling my name correctly in the description would be nice (Matt). :)

Grant Murphy (gmurphy) wrote :

lol sorry matt.

Title: Xen connection password leak in logs via StorageError
Reporter: Matt Riedemann (IBM)
Products: Nova
Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

Description:
Matt Riedemann from IBM reported an information disclosure vulnerability
in Nova. If a StorageError occurs when attempting to connect a volume
using the Xen API, the connection parameters will be logged. These
parameters may include credentials that are not masked. An attacker
with read access to Nova logs could use these credentials with the
Xen API directly. Only Nova deployments using the Xen backend are
affected by this flaw.

Matt Riedemann (mriedem) wrote :

Per:

Affects: >= 2014.2 <= 2015.1.2, ==12.0.0

That's Juno, Kilo and Liberty, respectively. Since Icehouse was EOL at the time that I was checking this, I didn't include that in the bug report, but if it is affected do we need to list it (and previous versions)? If needed I can figure that out, I'll have to do it internally anyway since we still support going back to Grizzly. But if it's not something you'd put in that impact statement, nevermind.

Grant Murphy (gmurphy) wrote :

FWIW I based the version range on: git tag --contains 49765dda1021a96abd2d87aa642d65c299fbd69d

Oh well, if the oldest version affected is not easily identified, we can leave it open-ended: like this:

Affects: <= 2015.1.2, ==12.0.0

Else, the impact description proposed in comment #15 LGTM. Thanks Grant*

Changed in ossa:
status: Confirmed → Triaged
Jeremy Stanley (fungi) on 2016-01-07
information type: Public → Public Security
Grant Murphy (gmurphy) on 2016-01-07
summary: xenapi: volume_utils._parse_volume_info can leak connection password via
- StorageError
+ StorageError (CVE-2015-8749)
Changed in ossa:
status: Triaged → In Progress
Grant Murphy (gmurphy) on 2016-01-12
Changed in ossa:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/267178
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b2acc9fa864b6fe10bc0c5f3786b976b472b1b27
Submitter: Jenkins
Branch: stable/liberty

commit b2acc9fa864b6fe10bc0c5f3786b976b472b1b27
Author: Matt Riedemann <email address hidden>
Date: Wed Jan 13 09:41:57 2016 -0800

    Add security fixes to the release notes for 12.0.1

    There are two security fixes in the upcoming stable/liberty
    point release (12.0.1) so we should document those in the
    release notes.

    This shouldn't be merged until I11485f077d28f4e97529a691e55e3e3c0bea8872
    is merged. We don't use Depends-On here since we don't want to hold this
    up on the stable/kilo backport of that change.

    Change-Id: Ib2235d6aee540d9010dc86c73aff71179d46e921
    Related-Bug: #1516765
    Related-Bug: #1524274

tags: added: in-stable-liberty

This issue was fixed in the openstack/nova 12.0.1 release.

Matt Riedemann (mriedem) on 2016-03-04
tags: added: in-stable-kilo
removed: kilo-backport-potential liberty-backport-potential
summary: - xenapi: volume_utils._parse_volume_info can leak connection password via
- StorageError (CVE-2015-8749)
+ [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak
+ connection password via StorageError (CVE-2015-8749)

Reviewed: https://review.openstack.org/291208
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9c0bbda07fdcf134308371644d09becbb18c62b1
Submitter: Jenkins
Branch: master

commit 9c0bbda07fdcf134308371644d09becbb18c62b1
Author: Matt Riedemann <email address hidden>
Date: Thu Mar 10 09:35:00 2016 -0500

    Add release notes for security fixes in 13.0.0 mitaka GA

    There are three security issues fixed in mitaka.

    The first two were documented for liberty 12.0.1 but we
    apparently forgot to doc them for mitaka.

    Related-Bug: #1524274
    Related-Bug: #1516765
    Related-Bug: #1548450

    Change-Id: I3eba75f1fc86c4c9abd258042dfafc6df1f2405c

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers