Bug 924259 (CVE-2015-2687) - VUL-1: CVE-2015-2687: openstack-nova: information leak when live-migration failed
Summary: VUL-1: CVE-2015-2687: openstack-nova: information leak when live-migration fa...
Status: RESOLVED WONTFIX
Alias: CVE-2015-2687
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/115016/
Whiteboard: CVSSv2:RedHat:CVE-2015-2687:1.0:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-25 13:42 UTC by Marcus Meissner
Modified: 2017-08-25 16:53 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-25 13:42:46 UTC 
via oss-sec, from CVE-ASSIGN Mitre

    https://bugs.launchpad.net/nova/+bug/1419577


Use CVE-2015-2687 for this issue with an unintended loss of access
control after a failed live migration.

For purposes of CVE, we typically don't think of vulnerabilities in
the way expressed in
https://bugs.launchpad.net/nova/+bug/1419577/comments/4 "without a way
to make the migration process fail, this is a bug with security
consequence, but not a vulnerability." In other words, for a CVE, the
attacker can be a person who wishes to have an unauthorized volume
attachment after the bug is triggered. The attacker does not need to
be a person who has determined a reproducible way to trigger the bug.

    if live-migration is executed while process keep using big size of
    memory by benchmark tool or something like that in VM instance and
    then the waiting status of live-migration could be persisted,
    eventually live-migration will be failed.


We think that nobody commented on whether this is a feasible way to
actively trigger the bug.

    you're suggesting potential exploits involving

    1. disconnecting physical network interfaces


We think the intended security property of this OpenStack product is:
"if network connectivity is disrupted by anyone (authorized or not)
during a live migration, then access control for volumes still must
match users' expectations afterward."

It is conceivable that the intended security property of this
OpenStack product is instead "if network connectivity is disrupted
during a live migration, then access control for volumes afterward is
undefined." In this case, maybe you mean that the CVE should apply
only to Havana, because the only relevant root cause is a Havana bug.
The reasoning in that scenario would be:

   1 - a Havana bug (e.g., 1362916 or possibly the combination of
       1362916 and a second bug) makes it possible to force a failure
       of a live migration

   2 - this was not previously considered a vulnerability

   3 - however, the relevant OpenStack product has a required security
       property of "There must not be any software bugs that allow
       live-migration failure attacks, because these attacks are
       equivalent to attacks against volume access control."

   4 - therefore, the bug in item 1 is promoted to a vulnerability,
       and is the bug directly associated with CVE-2015-2687

   5 - consequently, CVE-2015-2687 would not be used in an advisory
       because Havana is unsupported by the OpenStack VMT

So, does the OpenStack VMT have a position on whether to choose this
latter scenario? In other words, if live migration fails because of a
disconnected physical network interface, is access control for volumes
intentionally undefined afterward?


References:
https://bugs.launchpad.net/nova/+bug/1419577
http://seclists.org/oss-sec/2015/q1/990
https://bugzilla.redhat.com/show_bug.cgi?id=1205313
Comment 2 Swamp Workflow Management 2015-03-25 23:00:35 UTC 
bugbot adjusting priority