[openstack-dev] [OSSN 0038] Suds client subject to cache poisoning by local attacker

Nathan Kinder nkinder at redhat.com
Thu Dec 18 06:41:23 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suds client subject to cache poisoning by local attacker
- ---

### Summary ###
Suds is a Python SOAP client for consuming Web Services. Its default
cache implementation stores pickled objects to a predictable path in
/tmp. This can be used by a local attacker to redirect SOAP requests via
symlinks or run a privilege escalation or code execution attack.

### Affected Services / Software ###
Cinder, Nova, Grizzly, Havana, Icehouse

### Discussion ###
The Python 'suds' package is used by oslo.vmware to interface with SOAP
service APIs and both Cinder and Nova have dependencies on oslo.vmware
when using VMware drivers. By default suds uses an on-disk cache that
places pickle files, serialised Python objects, into a known location
'/tmp/suds'. A local attacker could use symlinks or place crafted files
into this location that will later be deserialised by suds.

By manipulating the content of the cached pickle files, an attacker can
redirect or modify SOAP requests. Alternatively, pickle may be used to
run injected Python code during the deserialisation process. This can
allow the spawning of a shell to execute arbitrary OS level commands
with the permissions of the service using suds, thus leading to possible
privilege escalation.

At the time of writing, the suds package appears largely unmaintained
upstream. However, vendors have released patched versions that do not
suffer from the predictable cache path problem. Ubuntu is known to offer
one such patched version (python-suds_0.4.1-2ubuntu1.1).

### Recommended Actions ###
The recommended solution to this issue is to disable cache usage in the
configuration as shown:

  'client.set_options(cache=None)'

A fix has been released to oslo.vmware (0.6.0) that disables the use of
the disk cache by default. Cinder and Nova have both adjusted their
requirements to include this fixed version. Deployers wishing to
re-enable the cache should ascertain whether or not their vendor
shipped suds package is susceptible and consider the above advice.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0038
Original Launchpad Bug : https://bugs.launchpad.net/ossn/+bug/1341954
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Suds: https://pypi.python.org/pypi/suds
CVE: CVE-2013-2217
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUkncTAAoJEJa+6E7Ri+EV4sQH/RUgDVqGRs5tdBGApTd3ljq0
ThqY8+5/3dqOYJ767/tTQ7WghGcPouFV8hXeco2ZS7oYS41kcBwQnvTRCol6bRqH
ayKjQIiNvaonHsSSwyhB1fMuUTjMzbTDg6w94xfy2Ibl+0XTskXkhQ2qqLB7yG4H
4sDWZNykE5sGcpn7zB2Xr+6IkODqNlPI5AAGmLBM9N1XB/Y98tQ+k8V7T3cvuF6+
77/o6WiyD5Q5g5s2/yaOuvOhZu4W3bxAXwKskYBvVIoxA90SPu66hQ2BQHPIzSIX
pZG0efK25s1slgY8yL8uNAG2GLIhhgvDk8aW5GkV9XJQ4jIh+15TILNmazSq9Q0=
=hEO/
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list