Remote arbitrary file corruption / creation flaw via injected files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Pádraig Brady | ||
Essex |
Fix Released
|
Critical
|
Pádraig Brady | ||
nova (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Matthias Weckbecker from SUSE Security Team reported the following:
------------------
During our internal security audit efforts at SUSE for openstack, I have found
an issue in openstack-nova (compute).
Quoting from [1] (comment #1):
Vulnerable code (quoted), /usr/lib64/
[... snipped copy of utils.execute code ...]
It's already doing lots of things correctly, like e.g. calling Popen with
the first parameter being a list, still it is affected by traversal flaws.
Testcase (also from [1], comment #0):
mweckbecker@
<?xml version="1.0" encoding="UTF-8"?>
<server xmlns="http://
imageRef="http://
<metadata>
<meta key="My Server Name">foobar</meta>
</metadata>
<personality>
<file path=".
</file>
</personality>
</server>
mweckbecker@
"http://
-H"X-Auth-
-H"Content-
Additional note: This beast is calling tee with sudo, potentially allowing
attackers to even alter files such as /etc/passwd.
[1] https:/
Thanks, Matthias
Related branches
- Chuck Short: Pending requested
-
Diff: 56 lines (+14/-4)3 files modifieddebian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
Changed in nova: | |
assignee: | nobody → Thierry Carrez (ttx) |
Changed in nova: | |
status: | Confirmed → Triaged |
Changed in nova: | |
milestone: | none → folsom-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
assignee: | Thierry Carrez (ttx) → Pádraig Brady (p-draigbrady) |
status: | Fix Released → In Progress |
Changed in nova: | |
status: | In Progress → Fix Released |
Changed in nova (Ubuntu): | |
status: | New → Fix Released |
Changed in nova (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in nova: | |
milestone: | folsom-2 → 2012.2 |
no longer affects: | nova/diablo |
Ouch :)
I would not blame the utils.execute() code though, it's a low-level primitive that just does what it's told to do.
The flaw is actually in nova/virt/ disk/api. py which does not check that "path" is still within the image mount_dir in inject_files() or _inject_ file_into_ fs().