YAQL

Bug #2048114
Comment #12

Comment 12 for bug 2048114

Revision history for this message

kirualawliet (kirualawliet) wrote on 2024-02-23: Re: [Bug 2048114] Re: OpenStack Murano Component Information Leakage

#12

Yes, I have reviewed the announcement and understand that Murano is
currently not overseen by VMT. However, I recently learned that a cloud
platform developed by a certain cloud provider based on OpenStack Murano is
also affected by this vulnerability, we had identified a few case in China.
The vulnerability poses a significant risk, in order to prevent users from
suffering losses, if possible, please apply for a CVE and try to issue a
security advisory to remind users to update security patches promptly.

On Thu, 22 Feb 2024 at 22:40, Jeremy Stanley <email address hidden>
wrote:

> Added, but in future you should feel free to subscribe subject matter
> experts yourself when their input is needed on such bug reports.
>
> Also, just to reiterate what I stated in comment #3, the VMT doesn't
> officially oversee or coordinate vulnerability reports for Murano,
> though we're happy to assist on a best-effort basis when requested.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
> OpenStack Murano Component Information Leakage
>
> Status in Murano:
> New
> Status in OpenStack Security Advisory:
> Won't Fix
>
> Bug description:
> Members of the VMT received the following report by E-mail from
> "kirualawliet l":
>
> Title: OpenStack Murano Component Information Leakage
>
> Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
> Research Team
>
> Products: OpenStack Murano Component
>
> Affects: All versions of Murano Component
>
> Description:
>
> The Sangfor Security Research Team has identified a critical security
> vulnerability in the Murano component of OpenStack. This vulnerability
> allows ordinary users capable of importing and deploying app packages
> to access sensitive information within OpenStack services.
> Specifically, through this exploit, unauthorized users can obtain
> Murano service account credentials, potentially escalating their
> privileges to an administrator level. Subsequently, unauthorized users
> can gain complete control over various resources, including user
> roles, hosts, and networks.
>
> The vulnerability stems from the Murano service's reliance on
> MuranoPL, an extension of the YAQL language. The YAQL library includes
> a 'format' function that mirrors Python's 'str.format' method,
> enabling attribute access.
>
> ```python
> # code snippet from yaql-2.0.0\standard_library\strings.py:569
> @specs.parameter('__format_string', yaqltypes.String())
> @specs.extension_method
> def format_(__format_string, *args, **kwargs):
> ...
> return __format_string.format(*args, **kwargs)
> ```
>
> An example of this vulnerability includes:
>
> ```
> >>> secret_key = "abcd1234"
> >>> class Test:
> ... def __init__(self):
> ... pass
> ...
> >>> t = Test()
> >>> # Exploiting the vulnerability to expose sensitive data:
> >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
> >>> formatted_output = malicious_format_string.format(t)
> >>> print(formatted_output) # This line reveals the value of secret_key
> 'abcd1234'
> ```
>
> This exploit allows access to Murano service's oslo configuration
> storage, thereby exposing critical Murano service account credentials,
> granting unauthorized users administrative privileges.
>
> We believe no deployment mode is immune to this vulnerability. To
> ensure system security, we recommend immediate attention and
> remediation of this vulnerability within the OpenStack Murano
> component. Our team stands ready to offer assistance and collaboration
> in addressing and resolving this issue promptly.
>
> Thank you for your prompt attention to this matter.
>
> Sincerely,
> kirualawliet
> Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>

On Thu, 22 Feb 2024 at 22:40, Jeremy Stanley <2048114@bugs.launchpad.net>
wrote:

> Added, but in future you should feel free to subscribe subject matter
> experts yourself when their input is needed on such bug reports.
>
> Also, just to reiterate what I stated in comment #3, the VMT doesn't
> officially oversee or coordinate vulnerability reports for Murano,
> though we're happy to assist on a best-effort basis when requested.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2048114
>
> Title:
>   OpenStack Murano Component Information Leakage
>
> Status in Murano:
>   New
> Status in OpenStack Security Advisory:
>   Won't Fix
>
> Bug description:
>   Members of the VMT received the following report by E-mail from
>   "kirualawliet l":
>
>   Title: OpenStack Murano Component Information Leakage
>
>   Reporter: lawliet and edwardpeng(@edwardzpeng) from Sangfor Security
>   Research Team
>
>   Products: OpenStack Murano Component
>
>   Affects: All versions of Murano Component
>
>   Description:
>
>   The Sangfor Security Research Team has identified a critical security
>   vulnerability in the Murano component of OpenStack. This vulnerability
>   allows ordinary users capable of importing and deploying app packages
>   to access sensitive information within OpenStack services.
>   Specifically, through this exploit, unauthorized users can obtain
>   Murano service account credentials, potentially escalating their
>   privileges to an administrator level. Subsequently, unauthorized users
>   can gain complete control over various resources, including user
>   roles, hosts, and networks.
>
>   The vulnerability stems from the Murano service's reliance on
>   MuranoPL, an extension of the YAQL language. The YAQL library includes
>   a 'format' function that mirrors Python's 'str.format' method,
>   enabling attribute access.
>
>   ```python
>   # code snippet from yaql-2.0.0\standard_library\strings.py:569
>   @specs.parameter('__format_string', yaqltypes.String())
>   @specs.extension_method
>   def format_(__format_string, *args, **kwargs):
>       ...
>       return __format_string.format(*args, **kwargs)
>   ```
>
>   An example of this vulnerability includes:
>
>   ```
>   >>> secret_key = "abcd1234"
>   >>> class Test:
>   ...     def __init__(self):
>   ...             pass
>   ...
>   >>> t = Test()
>   >>> # Exploiting the vulnerability to expose sensitive data:
>   >>> malicious_format_string =
> '{0.__class__.__init__.__globals__[secret_key]}'
>   >>> formatted_output = malicious_format_string.format(t)
>   >>> print(formatted_output)  # This line reveals the value of secret_key
>   'abcd1234'
>   ```
>
>   This exploit allows access to Murano service's oslo configuration
>   storage, thereby exposing critical Murano service account credentials,
>   granting unauthorized users administrative privileges.
>
>   We believe no deployment mode is immune to this vulnerability. To
>   ensure system security, we recommend immediate attention and
>   remediation of this vulnerability within the OpenStack Murano
>   component. Our team stands ready to offer assistance and collaboration
>   in addressing and resolving this issue promptly.
>
>   Thank you for your prompt attention to this matter.
>
>   Sincerely,
>   kirualawliet
>   Sangfor Security Research Team
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/murano/+bug/2048114/+subscriptions
>
>