Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Oct 2014 01:01:53 -0400 (EDT)
From: cve-assign@...re.org
To: jeremy@...nstack.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Nova

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Title: Nova VMware driver may connect VNC to another tenant's console
> Products: Nova
> Versions: up to 2014.1.3
> 
> Marcio Roberto Starke reported a vulnerability in the Nova VMware
> driver. A race condition in its VNC port allocation may cause it to
> connect the wrong console if instances are created concurrently. By
> repeatedly spawning new instances, an authenticated user may be able
> to gain unauthorized console access to instances belonging to other
> tenants. Only Nova setups using the VMware driver and the VNC proxy
> service are affected.
> 
> References:
> https://launchpad.net/bugs/1357372


> When spawning some instances, nova VMware driver could have a race
> condition in VNC port allocation. Although the get_vnc_port function
> has a lock it not guarantee that the whole vnc port allocation process
> is locked, so another instance could receive the same port if it
> requests the VNC port before nova has finished the vnc port allocation
> to another VM.
> 
> If the instances with the same VNC port are allocated in same host it
> could lead to a improper access to the instance console.
> 
> Reproduce the problem: Launch two or more instances at same time. In
> some cases one instance could execute the get_vnc_port and pick a port
> but before this instance has finished the _set_vnc_config another
> instance could execute get_vnc_port and pick the same port.


> it looks like something an attacker could probably leverage repetition
> to eventually exploit

Use CVE-2014-8750.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUPK2FAAoJEKllVAevmvmsOTUH/isfHZzy4mfdTu7EE01YniVy
+b0iupyj0AG/bx7c1lhoBhLYaPnY2wvBscVG7tBnkTUzpT0RJgluX2PG81eKqYoU
e/SXRWWzkHupSKY5G8ipmfUFPzKikjmVHXgXmdd91zx5RIsrbnxH8YQAJX3rdHJA
r7RY6Ah5oK7lEw2aLAvv2vCL0BsInTJMTGRDNXJElCukOJoA3rSlHsGoO1Ri+Bcw
trOKC40cIVmlU7BlpJzXTYsA6th2rOZmhj/5oKY38N3HVB+O0n85a+fhudJhgHQH
oApL8mqeg9yYveJr1dPNf7/+gvKNkQL9SHkeJ53kSupAHJTced8/JWfYLoc+DLk=
=2d5e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ