Bugzilla – Bug 934753
VUL-0: CVE-2015-1851: openstack-cinder: Host file disclosure through qcow2 backing file
Last modified: 2016-04-27 19:39:45 UTC
http://seclists.org/oss-sec/2015/q2/704 > OpenStack Cinder and Nova do not provide input format to several calls > of "qemu-img convert". In Cinder these calls are done as root. This > allows the attacker to play the format guessing in qemu-img by providing > input with a qcow2 signature. If this signature contains a base file, > this file will be read by a process running as root and embedded in the > output. This bug is similar to CVE-2013-1922 and has been assigned > CVE-2015-1850. > > Tested with: lvm backed volume storage in Cinder, it may apply to others > as well. > > Steps to reproduce: > - create volume and attach to vm, > - create a qcow2 signature on the volume containing a base-file[1] from > within the vm and > - trigger an upload to Glance with "cinder upload-to-image --disk-type > qcow2"[2]. > The image uploaded to Glance will have the base-file from the > cinder-volume host embedded. > > Affected versions: tested on 2014.1.3, found while reading 2014.2.1 > > Timeline: > - Reported upstream 2015-01-27 > - Published 2015-06-13 > [...] > > [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb > [2]: The disk-type != raw triggers the use of "qemu-img convert" References: https://bugs.launchpad.net/cinder/+bug/1415087 https://bugzilla.redhat.com/show_bug.cgi?id=1231816 https://review.openstack.org/#/c/191785/
OpenStack 2015.1 (kilo) known affected for cinder and nova. OpenStack 2014.2 (Juno) - Cloud 5: Cinder: cinder/image/image_utils.py upload_volume() looks affected, patch needs tweaking. Nova: unknown OpenStack 2014.1 (Icehouse) - Cloud 4: Cinder: cinder/image/image_utils.py upload_volume() looks affected, but run_as_root is not used. Needs clarification. Nova: unknown No upstream announcement, watching bug.
https://bugs.launchpad.net/cinder/+bug/1415087/comments/56 Title: Cinder host file disclosure through qcow2 backing file Reporter: Bastian Blank (credativ) Products: Cinder Affects: versions through 2014.1.4, and 2014.2 versions through 2014.2.3, and version 2015.1.0 Description: Bastian Blank from credativ reported a vulnerability in Cinder. By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. All Cinder and Nova setups are affected.
bugbot adjusting priority
penStack 2015.1 (kilo) known affected https://git.openstack.org/cgit/openstack/cinder/commit/?id=9634b76ba5886d6c2f2128d550cb005dabf48213 OpenStack 2014.2 (Juno) - Cloud 5 affected. https://git.openstack.org/cgit/openstack/cinder/commit/?id=d31c937c566005dedf41a60c6b5bd5e7b26f221b OpenStack 2014.1 (Icehouse) - Cloud 4 affected. https://git.openstack.org/cgit/openstack/cinder/commit/?id=bc0549e08b010edb863d409d80114aa78d317a61
Patch for this was already released as part of an update for Cloud 5, but bug and CVE were not mentioned in the .changes. Do you want me to amend the .changes file for this?
(In reply to Vincent Untz from comment #5) Please change it in the next round of updates.
(In reply to Johannes Segitz from comment #6) > (In reply to Vincent Untz from comment #5) > Please change it in the next round of updates. Done; will propagate to next round of update.
(In reply to Vincent Untz from comment #7) > (In reply to Johannes Segitz from comment #6) > > (In reply to Vincent Untz from comment #5) > > Please change it in the next round of updates. > > Done; will propagate to next round of update. mr#73705
released