OpenStack Security Notes

Bug #2048114
Comment #5

Comment 5 for bug 2048114

Revision history for this message

kirualawliet (kirualawliet) wrote on 2024-02-12: Re: [Bug 2048114] Re: OpenStack Murano Component Information Leakage

Hello Jeremy Stanley,
I wanted to know whether the Murano team has received information
regarding the vulnerability. I haven't seen any progress on the
vulnerability fix on Launchpad and would like to understand the current
situation. Our plan is to disclose the technical details of the
vulnerability publicly one month from now if there are no intentions to
address it.
Best regards,
lawliet

On Sat, 6 Jan 2024 at 00:10, Jeremy Stanley <email address hidden>
wrote:

> I've also subscribed kirualawliet, the original reporter.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
> OpenStack Murano Component Information Leakage
>
> Status in Murano:
> New
> Status in OpenStack Security Advisory:
> Won't Fix
>
> Bug description:
> Members of the VMT received the following report by E-mail from
> "kirualawliet l":
>
> Title: OpenStack Murano Component Information Leakage
>
> Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
> Research Team
>
> Products: OpenStack Murano Component
>
> Affects: All versions of Murano Component
>
> Description:
>
> The Sangfor Security Research Team has identified a critical security
> vulnerability in the Murano component of OpenStack. This vulnerability
> allows ordinary users capable of importing and deploying app packages
> to access sensitive information within OpenStack services.
> Specifically, through this exploit, unauthorized users can obtain
> Murano service account credentials, potentially escalating their
> privileges to an administrator level. Subsequently, unauthorized users
> can gain complete control over various resources, including user
> roles, hosts, and networks.
>
> The vulnerability stems from the Murano service's reliance on
> MuranoPL, an extension of the YAQL language. The YAQL library includes
> a 'format' function that mirrors Python's 'str.format' method,
> enabling attribute access.
>
> ```python
> # code snippet from yaql-2.0.0\standard_library\strings.py:569
> @specs.parameter('__format_string', yaqltypes.String())
> @specs.extension_method
> def format_(__format_string, *args, **kwargs):
> ...
> return __format_string.format(*args, **kwargs)
> ```
>
> An example of this vulnerability includes:
>
> ```
> >>> secret_key = "abcd1234"
> >>> class Test:
> ... def __init__(self):
> ... pass
> ...
> >>> t = Test()
> >>> # Exploiting the vulnerability to expose sensitive data:
> >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
> >>> formatted_output = malicious_format_string.format(t)
> >>> print(formatted_output) # This line reveals the value of secret_key
> 'abcd1234'
> ```
>
> This exploit allows access to Murano service's oslo configuration
> storage, thereby exposing critical Murano service account credentials,
> granting unauthorized users administrative privileges.
>
> We believe no deployment mode is immune to this vulnerability. To
> ensure system security, we recommend immediate attention and
> remediation of this vulnerability within the OpenStack Murano
> component. Our team stands ready to offer assistance and collaboration
> in addressing and resolving this issue promptly.
>
> Thank you for your prompt attention to this matter.
>
> Sincerely,
> kirualawliet
> Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>

Hello Jeremy Stanley,
    I wanted to know whether the Murano team has received information
regarding the vulnerability. I haven't seen any progress on the
vulnerability fix on Launchpad and would like to understand the current
situation. Our plan is to disclose the technical details of the
vulnerability publicly one month from now if there are no intentions to
address it.
Best regards,
lawliet

On Sat, 6 Jan 2024 at 00:10, Jeremy Stanley <2048114@bugs.launchpad.net>
wrote:

> I've also subscribed kirualawliet, the original reporter.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
>   OpenStack Murano Component Information Leakage
>
> Status in Murano:
>   New
> Status in OpenStack Security Advisory:
>   Won't Fix
>
> Bug description:
>   Members of the VMT received the following report by E-mail from
>   "kirualawliet l":
>
>   Title: OpenStack Murano Component Information Leakage
>
>   Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
>   Research Team
>
>   Products: OpenStack Murano Component
>
>   Affects: All versions of Murano Component
>
>   Description:
>
>   The Sangfor Security Research Team has identified a critical security
>   vulnerability in the Murano component of OpenStack. This vulnerability
>   allows ordinary users capable of importing and deploying app packages
>   to access sensitive information within OpenStack services.
>   Specifically, through this exploit, unauthorized users can obtain
>   Murano service account credentials, potentially escalating their
>   privileges to an administrator level. Subsequently, unauthorized users
>   can gain complete control over various resources, including user
>   roles, hosts, and networks.
>
>   The vulnerability stems from the Murano service's reliance on
>   MuranoPL, an extension of the YAQL language. The YAQL library includes
>   a 'format' function that mirrors Python's 'str.format' method,
>   enabling attribute access.
>
>   ```python
>   # code snippet from yaql-2.0.0\standard_library\strings.py:569
>   @specs.parameter('__format_string', yaqltypes.String())
>   @specs.extension_method
>   def format_(__format_string, *args, **kwargs):
>       ...
>       return __format_string.format(*args, **kwargs)
>   ```
>
>   An example of this vulnerability includes:
>
>   ```
>   >>> secret_key = "abcd1234"
>   >>> class Test:
>   ...     def __init__(self):
>   ...             pass
>   ...
>   >>> t = Test()
>   >>> # Exploiting the vulnerability to expose sensitive data:
>   >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
>   >>> formatted_output = malicious_format_string.format(t)
>   >>> print(formatted_output)  # This line reveals the value of secret_key
>   'abcd1234'
>   ```
>
>   This exploit allows access to Murano service's oslo configuration
>   storage, thereby exposing critical Murano service account credentials,
>   granting unauthorized users administrative privileges.
>
>   We believe no deployment mode is immune to this vulnerability. To
>   ensure system security, we recommend immediate attention and
>   remediation of this vulnerability within the OpenStack Murano
>   component. Our team stands ready to offer assistance and collaboration
>   in addressing and resolving this issue promptly.
>
>   Thank you for your prompt attention to this matter.
>
>   Sincerely,
>   kirualawliet
>   Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>