Date: Thu, 19 Sep 2013 12:52:09 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Open Source Security <oss-security@...ts.openwall.com>, Thierry Carrez <thierry@...nstack.org>, Jeremy Stanley <jeremy@...nstack.org> Subject: OpenStack: Glance image creation in other tenant accounts (CVE-2013-4354) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With apologies, I was supposed to send this out yesterday but missed it. I spoke with upstream and we agreed that making this public does not present a major risk. - From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4354 ========== Dafna Ron of Red Hat reports: Description of problem: when I try to create an image with tenant name and not tenant ID, the image is not created and no errors are issued. you simply cannot find the image. Version-Release number of selected component (if applicable): openstack-glance-2013.1.3-1.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. install AIO with local tgt storage (using packstack) 2. create a tenant and a user 3. create an image for the tenant using the tenant name 4. run glance image-list while logging in with user 5. run the same create command using tenant ID 6. run glance image-list while logging in with the user Actual results: image is no created with tenant name. no errors or indicators that the image was not created. Expected results: image should be created with tenant name if we decided not to allow create of image with tenant name we should block the command from running with missing param error ======== Upon further investigation Flavio Percoco of Red Hat reports: Ayal suggested this could also be a security issue. I went ahead and tested current behavior and indeed, this behavior could be used to inject images to other users. Scenario: - - Create an image using user1 - - Pick tenant's id of user2 and add it as a member of the image user1 just created - - Use user2 to list images. This will list the image user1 created. I think this is an issue because it allows user from other tenants to sneak images with a backdoor to other tenants. ========== - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSO0fYAAoJEBYNRVNeJnmTrm4QAKP8lbvyPi6UbqGFDBcZbNcw K8H9Qrg0IPR6P2cLJMpMN0RKkMlkPy7sHJZXx3Yg4ki2wJ39rq5/XyaMs0y3QvbX OumUV9hw81CuODPbpT+n5qaIWShB2LWDUK5hOvezDAyjrQTt6F0BGvkDMFp8mEA5 IX074I5590GgrNRcr1YtJyRDEblP0Q6Xcm4Pla3ShuyH39Vj6TGQDhru5Pu/0WtU 9WrDmMC7koXLzcFPj3y7XUvhE6ftjlX/9Cnc8aYA+nLA4xMVlDPazprFmcf68pWc VUWA6C2BtsQOA30tarzHSAdd0eKiGSQ7VqKhT0Kis8rrgA65EwXKZ8CecnVdTfy6 yTGINC18iBoqR4M9bRmVpDE5xawtM0cf1BUzZZEq3pGL6ZiuALWqhMjxXRFiWOaz Lg+92OvopIBl+L0ncWXwC0IhBvmanBl4VzPItbNlMRmgyXLUNdlRuyDJzfWci6Z8 Uh4kyl/Xk3sqBgdJOyd+gS8IRxlsqxOitppkpScDFTc7yNXzrqLS+fe1Duhkrct6 g1tKmvrBvKzOqfglSxHmABR81YS5m3DRvSEGpKsNN1uest/hNpRpbVUUB0PbgD0I UEeug7jmKwLe1igBXrctxrBc/RRtw5c1PmvlbXDFmt3tLpl0ar0d+iuPTdZQZzee WaPgP+KUFohNJyS/2Ljn =gLOM -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.