[Bug 1521560] [NEW] User can delete any image

Viktor Křivák viktor.krivak at gmail.com
Tue Dec 1 10:21:44 UTC 2015 

*** This bug is a security vulnerability ***

Public security bug reported:

Not sure if I don't have some typo in config but it is look like that
from Kilo, user can delete any image via nova API. Only uuid is needed.
Also user can list every image image in system even non public which
doesn't belong to him.

# Image info:
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
+------------------+--------------------------------------+
| Property         | Value                                |
+------------------+--------------------------------------+
| checksum         | ee1eca47dc88f4879d8a229cc70a07c6     |
| container_format | bare                                 |
| created_at       | 2015-11-30T18:08:05Z                 |
| disk_format      | qcow2                                |
| hw_vif_model     | e1000                                |
| id               | 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba |
| min_disk         | 0                                    |
| min_ram          | 0                                    |
| name             | Cirros 0.3.4                         |
| owner            | d697f13bce95426d82179c216a8e3f1c     |
| protected        | False                                |
| size             | 13287936                             |
| status           | active                               |
| tags             | []                                   |
| updated_at       | 2015-11-30T18:08:06Z                 |
| virtual_size     | None                                 |
| visibility       | public                               |
+------------------+--------------------------------------+


# Notice it is just public image with owner (another as myself)

# My session
$openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2015-12-01T11:03:03.988742Z      |
| id         | ################################ |
| project_id | 873a42b1eb3a42768f6b702c55b5c932 |
| user_id    | 37d0d3638ab243f786e68649fad84354 |
+------------+----------------------------------+


# And then this somehow works
$ nova image-delete 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
$ nova image-list
+--------------------------------------+---------------------+--------+--------+
| ID                                   | Name                | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 90678a27-c1e7-499b-9c06-bc6c01e100b3 | Debian 7 - Refstack | ACTIVE |        |
| f851e1d7-9e17-4c6f-beda-de3b3ea40db1 | Debian 8            | ACTIVE |        |
+--------------------------------------+---------------------+--------+--------+
$ nova image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
ERROR (CommandError): No image with a name or ID of '3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba' exists.
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
404 Not Found: No image found with ID 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba (HTTP 404)

Glance always correctly return 404 but nova delete it even if I'm just a member.
If I don't have any mistake in config this is serious security bug, because anyone can delete any image.

My opinion is that nova call glance internally as admin and it don't do any additional controls of permission.
Quick fix can be just add filter to nova/image/api.py 

My nova version: 2015.1.2-2 (Kilo)
Test on Debian GNU/Linux 8.2 (jessie) but I think this bug is general

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "Nova configuration with removed passwords"
   https://bugs.launchpad.net/bugs/1521560/+attachment/4527887/+files/nova.conf

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1521560

Title:
  User can delete any image

Status in nova package in Ubuntu:
  New

Bug description:
  Not sure if I don't have some typo in config but it is look like that
  from Kilo, user can delete any image via nova API. Only uuid is
  needed. Also user can list every image image in system even non public
  which doesn't belong to him.

  # Image info:
  $ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
  +------------------+--------------------------------------+
  | Property         | Value                                |
  +------------------+--------------------------------------+
  | checksum         | ee1eca47dc88f4879d8a229cc70a07c6     |
  | container_format | bare                                 |
  | created_at       | 2015-11-30T18:08:05Z                 |
  | disk_format      | qcow2                                |
  | hw_vif_model     | e1000                                |
  | id               | 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba |
  | min_disk         | 0                                    |
  | min_ram          | 0                                    |
  | name             | Cirros 0.3.4                         |
  | owner            | d697f13bce95426d82179c216a8e3f1c     |
  | protected        | False                                |
  | size             | 13287936                             |
  | status           | active                               |
  | tags             | []                                   |
  | updated_at       | 2015-11-30T18:08:06Z                 |
  | virtual_size     | None                                 |
  | visibility       | public                               |
  +------------------+--------------------------------------+

  
  # Notice it is just public image with owner (another as myself)

  # My session
  $openstack token issue
  +------------+----------------------------------+
  | Field      | Value                            |
  +------------+----------------------------------+
  | expires    | 2015-12-01T11:03:03.988742Z      |
  | id         | ################################ |
  | project_id | 873a42b1eb3a42768f6b702c55b5c932 |
  | user_id    | 37d0d3638ab243f786e68649fad84354 |
  +------------+----------------------------------+

  
  # And then this somehow works
  $ nova image-delete 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
  $ nova image-list
  +--------------------------------------+---------------------+--------+--------+
  | ID                                   | Name                | Status | Server |
  +--------------------------------------+---------------------+--------+--------+
  | 90678a27-c1e7-499b-9c06-bc6c01e100b3 | Debian 7 - Refstack | ACTIVE |        |
  | f851e1d7-9e17-4c6f-beda-de3b3ea40db1 | Debian 8            | ACTIVE |        |
  +--------------------------------------+---------------------+--------+--------+
  $ nova image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
  ERROR (CommandError): No image with a name or ID of '3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba' exists.
  $ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
  404 Not Found: No image found with ID 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba (HTTP 404)

  Glance always correctly return 404 but nova delete it even if I'm just a member.
  If I don't have any mistake in config this is serious security bug, because anyone can delete any image.

  My opinion is that nova call glance internally as admin and it don't do any additional controls of permission.
  Quick fix can be just add filter to nova/image/api.py 

  My nova version: 2015.1.2-2 (Kilo)
  Test on Debian GNU/Linux 8.2 (jessie) but I think this bug is general

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1521560/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list