-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Summary ## When deploying VirtualBMC or Sushy-Tools in an unsupported, production-like configuration, it can remove secret data, including VNC passwords, from a libvirt domain permanently. Operators impacted by this vulnerability must reconfigure any secret data, including VNC passwords, for the libvirt domain. These virtual machine emulators are tools to help emulate a physical machine's Baseboard Management Controller (BMC) to aid in development and testing of software that would otherwise require physical machines to perform integration testing activities. They are not intended or supported for production or long-term use of any kind. ## Affected Services / Software ## * Sushy-Tools, <=0.21.0 * VirtualBMC, <=2.2.2 There is no impact to any OpenStack software or services intended for production use. ## Patches ## * VirtualBMC: https://review.opendev.org/c/openstack/virtualbmc/+/862620 * Sushy-Tools: https://review.opendev.org/c/openstack/sushy-tools/+/862625 ## Discussion ## To perform some advanced operations on Libvirt virtual machines, the underlying XML document describing the virtual machine's domain must be extracted, modified, and then updated. These specific actions are for aspects such as "setting a boot device" (VirtualBMC, Sushy-Tools), Setting a boot mode (Sushy-Tools), and setting a virtual media device (Sushy-Tools). This issue is triggered when a VM has any kind of "secure" information defined in the XML domain definition. If an operator deploys VirtualBMC or Sushy-Tools to manage one of these libvirt VMs, the first time any action is performed that requires rewriting of the XML domain definition, all secure information -- including a VNC console password, if set -- is lost and removed from the domain definition, leaving the libvirt VM's exposed to a malicious console user. ## Recommended Actions ## Operators who may have been impacted by this vulnerability should immediately remove use of VirtualBMC and/or Sushy-Tools from their production environment. Then, validate and if necessary, reconfigure passwords for VNC access or any other impacted secrets. ## Notes ## The OpenStack team will ensure documentation is updated to clearly state these software packages are intended for development/CI use only, and are not safe to run in production. ## Credits ## Julia Kreger from Red Hat ## References ## Author: Jay Faulkner, G-Research Open Source Software This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0091 Original Storyboard bug: https://storyboard.openstack.org/#!/story/2010382 Mailing List : [Security] tag on openstack-discuss@lists.openstack.org OpenStack Security Project : https://launchpad.net/~openstack-ossg CVE: CVE-2022-44020 -----BEGIN PGP SIGNATURE----- Version: FlowCrypt Email Encryption 8.3.8 Comment: Seamlessly send and receive encrypted email wsFzBAEBCgAGBQJjYDqWACEJEGt12Tm0JMbUFiEEvF1YmsGLSYuWqE+ta3XZ ObQkxtSjBhAAgkeFOi39SEuatIMBLA+EEXyTzEyINJQnFmUqJlDLLckQv646 sotFsmYizNWn3GEVEYNjPWjMdQz11NTA4Ox8CijoPGHPNCoaHc461Vm3VH1Y 4rv4nzDI+JsU/r4HRNT6N5BveqiCpvpIvUmsxbdzAciBqqjSjpAk/wuY3v3p QRyqktMW3ep8evGw0xAaj3UWElLM+ooJM/Z4CayKQXeNTFDXdlQsIxGQAmrM s9U9sxf1I839oj5AbBQZ2mYV/oV6DdrTEvrDnGtwrowlugCdBXKVLETbylAn tvlPz+I6DrNWndCucZthwDesccpMvVqxCUup+lYs9o0RcfT8sK5PxNEzpi5U zR07iC9hJz3Pa9I7VWOQMtWIDD1XYgQZ7iCKu/kd4CXM74O1qpdoQQ0T4dCP J0Scv/L5TVkV3X7d6tyJ6i8bdVEt6XQvXLFIzo9iudheuxF8j4bGpgcMBw/a OUi7AGXE00P1qaCUON8hgu4F3b5iU3guoJD7EmW8CAyDVOqtZdgFQUs0UYnb 443nEe/MHrwed+UBXbrg9xKrXalRvkQP6wG1WvAV6U2yY6cMntYb4YWUl37K ggG+rsYIj/j8o5JncBuxyQyXGbjammZYJHOzDpJO42xwe5B8aXPamx8Z6V6I 6Fb07pYS1vlghBDnvU37KYF6bVpBBZ8QiiQ= =RmVg -----END PGP SIGNATURE-----