[openstack-dev] [OSSG][OSSN] Cinder wipe fails in an insecure manner on Grizzly
Nathan Kinder
nkinder at redhat.com
Tue Jun 3 13:32:17 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cinder wipe fails in an insecure manner on Grizzly
- ---
### Summary ###
A configuration error can prevent the secure erase of volumes in Cinder
on Grizzly, potentially allowing a user to recover another user’s data.
### Affected Services / Software ###
Cinder, Grizzly
### Discussion ###
In Cinder on Grizzly, a configurable method to perform a secure erase of
volumes was added. In the event of a misconfiguration no secure erase
will be performed.
The default code path in Cinder’s clear_volume() method, which is taken
in the event of a configuration error, results in no wiping of the
volume - even in the event that the user had flagged the volume for
wiping.
This is the same behaviour as if the volume_clear = ‘none’ option was
selected. This could let an attacker recover data from a volume that was
intended to be securely erased. Examples of possible incorrect
configuration options include values that would appear to result in a
secure erase, for example “volume_clear = true” or “volume_clear =
yes”.
In the event of a misconfiguration resulting in this issue, the message
“Error unrecognized volume_clear option” should be present in log
files.
### Recommended Actions ###
- - Create and clear a volume (cinder create --display_name erasetest 10;
cinder delete erasetest)
- - Review log files for the above error message (grep “Error unrecognized
volume_clear option” <logfile>)
- - Review configuration files to ensure that the valid options ‘zero’ or
‘shred’ are specified.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0016
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1322766
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTjc5hAAoJEJa+6E7Ri+EVm6EH/i0IseGxSHb0il1ryDUu56K7
GwX0P72pBQ90BGaJdaLR0t/w68o9hZXFmGJxVZk/8nq0cI+FriEXa8QDCuNwWe2X
vgJ4YoqlvD9jy2V5MUV/WaP99QBnCVClj9Gr0h21YzFJe+mvyAFLKY8HMbhrxUgv
dkhtYUodDQnjSNjVO6s5hzsCYDjti78aPnzgiP2Y7bsHrOkVgRy4a1qt281btPWd
ZklXviqvvO2hI1ZSsH5JkjzLTD3THN260TIkIrVThUOm0TK3iC3JOu+f+FoTOXGg
gHXR0DyIoVldqtn1Nmcd4OY/Wx9bav6jPyPPhfcAAsbbipCzUY/WtRe9pm/gJI0=
=W3y3
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list