Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Jun 2015 11:17:05 +0200
From: Bastian Blank <waldi@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file
 disclosure in image convert

Hi

OpenStack Cinder and Nova do not provide input format to several calls
of "qemu-img convert".  In Cinder these calls are done as root.  This
allows the attacker to play the format guessing in qemu-img by providing
input with a qcow2 signature.  If this signature contains a base file,
this file will be read by a process running as root and embedded in the
output.  This bug is similar to CVE-2013-1922 and has been assigned
CVE-2015-1850.

Tested with: lvm backed volume storage in Cinder, it may apply to others
as well.

Steps to reproduce:
- create volume and attach to vm,
- create a qcow2 signature on the volume containing a base-file[1] from
  within the vm and
- trigger an upload to Glance with "cinder upload-to-image --disk-type
  qcow2"[2].
The image uploaded to Glance will have the base-file from the
cinder-volume host embedded.

Affected versions: tested on 2014.1.3, found while reading 2014.2.1

Timeline:
- Reported upstream 2015-01-27
- Published 2015-06-13

Regards,
Bastian Blank

[1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
[2]: The disk-type != raw triggers the use of "qemu-img convert"
-- 
You can't evaluate a man by logic alone.
		-- McCoy, "I, Mudd", stardate 4513.3

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ