Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Oct 2014 01:01:53 -0400 (EDT)
Subject: Re: CVE request for vulnerability in OpenStack Nova

Hash: SHA1

> Title: Nova VMware driver may connect VNC to another tenant's console
> Products: Nova
> Versions: up to 2014.1.3
> Marcio Roberto Starke reported a vulnerability in the Nova VMware
> driver. A race condition in its VNC port allocation may cause it to
> connect the wrong console if instances are created concurrently. By
> repeatedly spawning new instances, an authenticated user may be able
> to gain unauthorized console access to instances belonging to other
> tenants. Only Nova setups using the VMware driver and the VNC proxy
> service are affected.
> References:

> When spawning some instances, nova VMware driver could have a race
> condition in VNC port allocation. Although the get_vnc_port function
> has a lock it not guarantee that the whole vnc port allocation process
> is locked, so another instance could receive the same port if it
> requests the VNC port before nova has finished the vnc port allocation
> to another VM.
> If the instances with the same VNC port are allocated in same host it
> could lead to a improper access to the instance console.
> Reproduce the problem: Launch two or more instances at same time. In
> some cases one instance could execute the get_vnc_port and pick a port
> but before this instance has finished the _set_vnc_config another
> instance could execute get_vnc_port and pick the same port.

> it looks like something an attacker could probably leverage repetition
> to eventually exploit

Use CVE-2014-8750.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ