OpenStack Security Advisory

Bug #2048114
Comment #0

Comment 0 for bug 2048114

Revision history for this message

Jeremy Stanley (fungi) wrote on 2024-01-04: OpenStack Murano Component Information Leakage

Members of the VMT received the following report by E-mail from "kirualawliet l":

Title: OpenStack Murano Component Information Leakage

Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security Research Team

Products: OpenStack Murano Component

Affects: All versions of Murano Component

Description:

The Sangfor Security Research Team has identified a critical security vulnerability in the Murano component of OpenStack. This vulnerability allows ordinary users capable of importing and deploying app packages to access sensitive information within OpenStack services. Specifically, through this exploit, unauthorized users can obtain Murano service account credentials, potentially escalating their privileges to an administrator level. Subsequently, unauthorized users can gain complete control over various resources, including user roles, hosts, and networks.

The vulnerability stems from the Murano service's reliance on MuranoPL, an extension of the YAQL language. The YAQL library includes a 'format' function that mirrors Python's 'str.format' method, enabling attribute access.

```python
# code snippet from yaql-2.0.0\standard_library\strings.py:569
@specs.parameter('__format_string', yaqltypes.String())
@specs.extension_method
def format_(__format_string, *args, **kwargs):
...
return __format_string.format(*args, **kwargs)
```

An example of this vulnerability includes:

```
>>> secret_key = "abcd1234"
>>> class Test:
... def __init__(self):
... pass
...
>>> t = Test()
>>> # Exploiting the vulnerability to expose sensitive data:
>>> malicious_format_string = '{0.__class__.__init__.__globals__[secret_key]}'
>>> formatted_output = malicious_format_string.format(t)
>>> print(formatted_output) # This line reveals the value of secret_key
'abcd1234'
```

This exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting unauthorized users administrative privileges.

We believe no deployment mode is immune to this vulnerability. To ensure system security, we recommend immediate attention and remediation of this vulnerability within the OpenStack Murano component. Our team stands ready to offer assistance and collaboration in addressing and resolving this issue promptly.

Thank you for your prompt attention to this matter.

Sincerely,
kirualawliet
Sangfor Security Research Team

Members of the VMT received the following report by E-mail from "kirualawliet l":

Title: OpenStack Murano Component Information Leakage

Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security Research Team

Products: OpenStack Murano Component

Affects: All versions of Murano Component

Description:

```python
# code snippet from yaql-2.0.0\standard_library\strings.py:569
@specs.parameter('__format_string', yaqltypes.String())
@specs.extension_method
def format_(__format_string, *args, **kwargs):
    ...
    return __format_string.format(*args, **kwargs)
```

An example of this vulnerability includes:

```
>>> secret_key = "abcd1234"
>>> class Test:
...     def __init__(self):
...             pass
...
>>> t = Test()
>>> # Exploiting the vulnerability to expose sensitive data:
>>> malicious_format_string = '{0.__class__.__init__.__globals__[secret_key]}'
>>> formatted_output = malicious_format_string.format(t)
>>> print(formatted_output)  # This line reveals the value of secret_key
'abcd1234'
```

This exploit allows access to Murano service's oslo configuration storage, thereby exposing critical Murano service account credentials, granting unauthorized users administrative privileges.

Thank you for your prompt attention to this matter.

Sincerely,
kirualawliet
Sangfor Security Research Team