Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Jun 2015 13:58:42 +0100
From: Dave Walker <email@...iey.com>
To: oss-security@...ts.openwall.com, Bastian Blank <waldi@...ian.org>
Cc: openstack-security@...ts.openstack.org
Subject: Re: CVE-2015-1850: OpenStack Cinder/Nova:
 Format-guessing and file disclosure in image convert

On 13 Jun 2015 10:17 am, "Bastian Blank" <waldi@...ian.org> wrote:
>
> Hi
>
> OpenStack Cinder and Nova do not provide input format to several calls
> of "qemu-img convert".  In Cinder these calls are done as root.  This
> allows the attacker to play the format guessing in qemu-img by providing
> input with a qcow2 signature.  If this signature contains a base file,
> this file will be read by a process running as root and embedded in the
> output.  This bug is similar to CVE-2013-1922 and has been assigned
> CVE-2015-1850.
>
> Tested with: lvm backed volume storage in Cinder, it may apply to others
> as well.
>
> Steps to reproduce:
> - create volume and attach to vm,
> - create a qcow2 signature on the volume containing a base-file[1] from
>   within the vm and
> - trigger an upload to Glance with "cinder upload-to-image --disk-type
>   qcow2"[2].
> The image uploaded to Glance will have the base-file from the
> cinder-volume host embedded.
>
> Affected versions: tested on 2014.1.3, found while reading 2014.2.1
>
> Timeline:
> - Reported upstream 2015-01-27
> - Published 2015-06-13
>
> Regards,
> Bastian Blank
>
> [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb
> [2]: The disk-type != raw triggers the use of "qemu-img convert"

Hi,

+CC openstack-security

I see that this is being brought to oss-sec', but seemingly not via the
OpenStack Security Group or Vulnerability Management Team.

CVE-2015-1850 is referenced in your mail, are you saying that this has been
assigned to this issue? I cannot easily find any other reference of its
allocation.

You said that this was raised upstream on 2015-01-27, do you have a
Launchpad bug number or information on this discourse as to what was the
outcome?

Thanks

--
Kind Regards,
Dave Walker

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ