[Murano] Possible RCE using insecure YAML tags

Bug #1586136 reported by Serg Melikyan on 2016-05-26
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Undecided
Kirill Zaitsev

Bug Description

By uploading specially crafted application to his tenant and adding this application to the environment in murano user may exploit arbitrary remote code execution vulnerability which affects all version of OpenStack starting from 2014.2 and up.

Any application for murano contains several mandatory artifacts which are defined in YAML or YAML-based language:
 * UI Definition - defines user input
 * Workflow(s) - defines how application is going to be deployed and general lifecycle events
 * Metadata - contains metadata about application: version, author name and so on.

These artifacts are processes by several murano components, and in few places Murano uses class YamlLoader from PyYAML (or descendant of this class) which allows execution arbitrary Python code:
http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

One of the places where murano is using YaqlYamlLoader (which is inherited from YamlLoader) is murano-dashboard when it's processing UI Definition file.

Given that any user can upload application and deploy this uploaded application in his tenant this leads to Remote Code Execution on any cloud which has Murano installed and feature of uploading application is enabled for regular users (enabled by default).

We assume for now that all Murano versions are affected starting from OpenStack Juno (2014.2).

Corresponding bugs in Murano tracker:
[python-muranoclient] https://bugs.launchpad.net/python-muranoclient/+bug/1586078
[murano] https://bugs.launchpad.net/murano/+bug/1586079

We continuing exploring where else this may be exploited in Murano.

CVE References

Changed in ossa:
status: New → Incomplete
description: updated
Victor Ryzhenkin (vryzhenkin) wrote :

Draft:

Title: RCE vulnerability in Openstack Murano using insecure YAML tags
Reporter: Kirill Zaitsev
Products: OpenStack Murano
Affects: >=2014.2

Description:
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform a Remote Code Execution attack.
All setups of Murano are affected.

Serg Melikyan (smelikyan) wrote :

Kirill, please confirm all affected places and affected versions of OpenStack

description: updated
description: updated
description: updated
description: updated
description: updated
Kirill Zaitsev (kzaitsev) wrote :

I'm can confirm, that this vulnerability exists in dashboard, murano-engine and (at least partially) in python-muranoclient in all versions starting with 2014.2

Note that the impact description could use upper cap for affected versions, e.g.:
  >=1.0.0 <=1.0.2 and ==2.0.0

If multiple projects are impacted, then they should be listed in the "Products" line as well as in the "Affects" line (probably different versions for each projects).

Kirill Zaitsev (kzaitsev) wrote :

Draft:

Title: RCE vulnerability in Openstack Murano using insecure YAML tags
Reporter: Kirill Zaitsev
Products: OpenStack Murano, Murano Dashboard, python-muranoclient
Affects: >=2014.2, >1.0.0 (for murano and murano-dashboard); >=0.5.3 (for python-muranoclient)

Description:
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform a Remote Code Execution attack.

Kirill Zaitsev (kzaitsev) wrote :

Currently all versions are affected. As soon as we land the patches — we're going to request releases from release team. Should we mention these unreleased versions as safe in the announcement?

Kirill Zaitsev (kzaitsev) wrote :

Title: RCE vulnerability in Openstack Murano using insecure YAML tags
Reporter: Kirill Zaitsev
Product: murano
Affects: <=2015.1.1; <=1.0.2; ==2.0.0
Product: murano-dashboard
Affects: <=2015.1.1; <=1.0.2; ==2.0.0
Product: python-muranoclient
Affects: <=0.7.2; >=0.8.0<=0.8.4

Description:
Kirill Zaitsev from Mirantis reported a vulnerability in OpenStack Murano applications processing. Using extended YAML tags in Murano application YAML files, an attacker can perform a Remote Code Execution attack.

The above impact description looks correct. Do you have patches ready for all projects and supported branch ? We usually wait for pre-approved backports before requesting the CVE.

Kirill Zaitsev (kzaitsev) wrote :

We do have patches for all the branches (even kilo, although we most likely would not be able to merge them), attached to https://bugs.launchpad.net/python-muranoclient/+bug/1586078 and https://bugs.launchpad.net/murano/+bug/1586079

If I understand correctly, murano-dashboard is fixed by murano and python-muranoclient patch. Then perhaps there is no need to mention murano-dashboard as an affected product.

Anyways, once you have the patch ready, the next step is to request a CVE to a CVE Number Authority ("CNA") such as <email address hidden>, preferably using an encrypted and signed email:
  https://security.openstack.org/vmt-process.html#cve-request-email-private-issues

Changed in ossa:
status: Incomplete → In Progress
Changed in ossa:
assignee: nobody → Kirill Zaitsev (kzaitsev)
status: In Progress → Fix Committed
information type: Private Security → Public Security
description: updated

Change abandoned by Kirill Zaitsev (<email address hidden>) on branch: master
Review: https://review.openstack.org/333477

The Murano advisory has been completed, but not part of the OSSA task.

Changed in ossa:
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers