[OSSN-0091] BMC emulators developed in OpenStack community do not preserve passwords on VMs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Summary ## When deploying VirtualBMC or Sushy-Tools in an unsupported, production-like configuration, it can remove secret data, including VNC passwords, from a libvirt domain permanently. Operators impacted by this vulnerability must reconfigure any secret data, including VNC passwords, for the libvirt domain. These virtual machine emulators are tools to help emulate a physical machine's Baseboard Management Controller (BMC) to aid in development and testing of software that would otherwise require physical machines to perform integration testing activities. They are not intended or supported for production or long-term use of any kind. ## Affected Services / Software ## * Sushy-Tools, <=0.21.0 * VirtualBMC, <=2.2.2 There is no impact to any OpenStack software or services intended for production use. ## Patches ## * VirtualBMC: https://review.opendev.org/c/openstack/virtualbmc/+/862620 * Sushy-Tools: https://review.opendev.org/c/openstack/sushy-tools/+/862625 ## Discussion ## To perform some advanced operations on Libvirt virtual machines, the underlying XML document describing the virtual machine's domain must be extracted, modified, and then updated. These specific actions are for aspects such as "setting a boot device" (VirtualBMC, Sushy-Tools), Setting a boot mode (Sushy-Tools), and setting a virtual media device (Sushy-Tools). This issue is triggered when a VM has any kind of "secure" information defined in the XML domain definition. If an operator deploys VirtualBMC or Sushy-Tools to manage one of these libvirt VMs, the first time any action is performed that requires rewriting of the XML domain definition, all secure information -- including a VNC console password, if set -- is lost and removed from the domain definition, leaving the libvirt VM's exposed to a malicious console user. ## Recommended Actions ## Operators who may have been impacted by this vulnerability should immediately remove use of VirtualBMC and/or Sushy-Tools from their production environment. Then, validate and if necessary, reconfigure passwords for VNC access or any other impacted secrets. ## Notes ## The OpenStack team will ensure documentation is updated to clearly state these software packages are intended for development/CI use only, and are not safe to run in production. ## Credits ## Julia Kreger from Red Hat ## References ## Author: Jay Faulkner, G-Research Open Source Software This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0090 Original Storyboard bug: https://storyboard.openstack.org/#!/story/2010382 Mailing List : [Security] tag on openstack-discuss@lists.openstack.org OpenStack Security Project : https://launchpad.net/~openstack-ossg CVE: CVE-2022-44020 -----BEGIN PGP SIGNATURE----- Version: FlowCrypt Email Encryption 8.3.8 Comment: Seamlessly send and receive encrypted email wsFzBAEBCgAGBQJjYDhhACEJEGt12Tm0JMbUFiEEvF1YmsGLSYuWqE+ta3XZ ObQkxtSCUw/9FEeakvlf06BWrk5Lc3TGwUKV0WiLaE4M0xjljkzg/3/580/E nhOTl/raPszlzgkGdrQTaH3Sj4AwUTdPHqqxjyK/Xb1DIm+CfS3bdbP0aLHG Y3Su4Z74unMaKbnbyDYhM1qMIzPyBruLpqiyYJGhSuzU/fu1O/LCWfSicvKK YDmAHJ9TjXuTMdWrLrkMknvJaLe0aJrNW5iqDnIh6YrUC2Pioi5h+OFKwDpn Ea+YnlAxKR7OQGRGcY3AwP1Jq87pdHZagcVThc/wnCATKT/FtaIogDkUnoMn qI+6MNjV3R4kyQCbyo35KeIDWm+541XsK0GoR5hcvR1AkwciSPBAkt3VHxpa p0g9hVcNTv+tWwN8LrdLRPMDuqKA51eNUvQCV8W+H42wS0uoaMPXglbZIuwv AmEoK8UC8Gii8cPoIkiZGSSOo4i+tlE/q+L/Mgs1opyt1Klcxs/Lm1PNylET XqLw70qKrfqWabZpKUxMS3F9JwyCkgnD5+t2x/qsqg5Hq+kUZqP8be3Oc7K7 He/gIneWDMpH1+J9Tm5ofyxtJCA+V96+cXoXYk8SncVf/O5djgd48UkQo1iJ NZlKxJsaKH5+JyPuXkR6hyqDrIkmbJRh4aU9nJBQyFho0fXuQVlC2iUOGa0F BgUFs5J6oQtglAAuyUoNuhuBJBwdW09NxQ4= =6yXE -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
## Summary ## When deploying VirtualBMC or Sushy-Tools in an unsupported,
The correct link to the OSSN is https://wiki.openstack.org/wiki/OSSN/OSSN-0091. My apologies for the error. - -- Jay Faulkner On 2022-10-31 at 21:04, jay@gr-oss.io wrote: production-like
configuration, it can remove secret data, including VNC passwords, from a libvirt domain permanently. Operators impacted by this vulnerability must reconfigure any secret data, including VNC passwords, for the libvirt domain.
These virtual machine emulators are tools to help emulate a physical machine's Baseboard Management Controller (BMC) to aid in development and testing of software that would otherwise require physical machines to perform integration testing activities. They are not intended or supported for production or long-term use of any kind.
## Affected Services / Software ## * Sushy-Tools, <=0.21.0 * VirtualBMC, <=2.2.2
There is no impact to any OpenStack software or services intended for production use.
## Patches ## * VirtualBMC: https://review.opendev.org/c/openstack/virtualbmc/+/862620 * Sushy-Tools: https://review.opendev.org/c/openstack/sushy-tools/+/862625
## Discussion ## To perform some advanced operations on Libvirt virtual machines, the underlying XML document describing the virtual machine's domain must be extracted, modified, and then updated. These specific actions are for aspects such as "setting a boot device" (VirtualBMC, Sushy-Tools), Setting a boot mode (Sushy-Tools), and setting a virtual media device (Sushy-Tools).
This issue is triggered when a VM has any kind of "secure" information defined in the XML domain definition. If an operator deploys VirtualBMC or Sushy-Tools to manage one of these libvirt VMs, the first time any action is performed that requires rewriting of the XML domain definition, all secure information -- including a VNC console password, if set -- is lost and removed from the domain definition, leaving the libvirt VM's exposed to a malicious console user.
## Recommended Actions ## Operators who may have been impacted by this vulnerability should immediately remove use of VirtualBMC and/or Sushy-Tools from their production environment. Then, validate and if necessary, reconfigure passwords for VNC access or any other impacted secrets.
## Notes ## The OpenStack team will ensure documentation is updated to clearly state these software packages are intended for development/CI use only, and are not safe to run in production.
## Credits ## Julia Kreger from Red Hat
## References ## Author: Jay Faulkner, G-Research Open Source Software This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0090 Original Storyboard bug: https://storyboard.openstack.org/#!/story/2010382 Mailing List : [Security] tag on openstack-discuss@lists.openstack.org OpenStack Security Project : https://launchpad.net/~openstack-ossg CVE: CVE-2022-44020 -----BEGIN PGP SIGNATURE----- Version: FlowCrypt Email Encryption 8.3.8 Comment: Seamlessly send and receive encrypted email
wsFzBAEBCgAGBQJjYDkHACEJEGt12Tm0JMbUFiEEvF1YmsGLSYuWqE+ta3XZ ObQkxtQIlQ/+OYBQY7DkwJkdZWKSXoaEAe2wyNwnnU9vbbJm/t13gg0h68/c 1zo7M9ZlvAO/lKPWB7GoWmV0wIFB+f70s8uZB4thDwheKV+99Sg7HHS6JzgU xU5+1/cq4F/6Ht8bmh1FV2/6TLLTQfC36YzkG3eS/q8Dehxmji5zjZdlVAnb ErLOS9/w8uWsXqHuY+jxM2evBt4wo8qmXgSzPpBRoYOC4Nx/jZQtN2sZmlfZ b6nE+40LIvjKbrmT5lpGfytVuboqi9gHuAF/CWckJUNNd2GbEKcguAH5aRL2 3TO5X1myX+N8RrOoo5wxEjosH36Th4TrKNRDWTQqe3zSGS8s30H5Ryu82XkH vZRncsg5p27VvL06Yrl2/uLUHzbLBJ7pJ07dhA2sjjTY46poix74xhwbde2I DVP8OaHhumHWlU8yBEqapuNMhhU20BiwpFLijUhQhKnGfb9hw/ZNlYgT5Jh9 vEubBfKcw4FmZIwvXFVJGs0GwQxoVYravUx8bgQbK5tb/e3omlDj+VOKrVeV uAp82/OLrgOvr6L0wCvFyJu+9uEMiPRuvJQJNKBNIv4ec4r9fpAEgcMlnFqo YAIzpg1jfPWbCn154dvhOxguqNIPtu2SiLTmD2Vvg8mwJu7gEkRkTsiz6KXv GdhY0ogG20TaqyfrKTDmddUgaleq+pD0VAk= =2622 -----END PGP SIGNATURE-----
participants (1)
-
Jay Faulkner