Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Glance configuration option can lead to privilege escalation
- ---

### Summary ###
Glance exposes a configuration option called `use_user_token` in the
configuration file `glance-api.conf`.  It should be noted that the
default setting (`True`) is secure.  If, however, the setting is
changed to `False` and valid admin credentials are supplied in the
following section (`admin_user` and `admin_password`), Glance API
commands will be executed with admin privileges regardless of the
intended privilege level of the calling user.

### Affected Services / Software ###
Glance, Juno, Kilo, Liberty

### Discussion ###

The `use_user_token` configuration option was created to enable
automatic re-authentication for tokens whch are close to expiration,
thus preventing the tokens from expiring in the middle of
longer-lasting Glance commands.  Unfortunately the implementation
enables privilege escalation attacks by automatically executing API
commands as an administrator level user.

By default `use_user_token` is set to `True` which is secure.  If the
option is disabled (set to `False`) and valid admin credentials are
specified in the `glance-api.conf` file, API commands will be executed
as the supplied admin user regardless of the intended privileges of the
calling user.  Glance API v2 configurations which don't enable the
registry service (`data_api = glance.db.registry.api`) aren't affected.

Enabling unauthenticated and lower privileged users to execute Glance
commands with administrator privileges is very dangerous and may
expose risks including:

 - tampering with images
 - deleting images
 - denial of service attacks

### Recommended Actions ###
A comprehensive fix will be included in the Mitaka release.  Meanwhile
it is recommended that all users ensure that `use_user_token` is left
at the default setting (`True`) or commented out.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448
OpenStack Security Documentation : https://security.openstack.org
OpenStack Security Project : https://wiki.openstack.org/wiki/Security
Bug Introduction : https://review.openstack.org/#/c/29967/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWplPkAAoJEKVpf4LII88pLSEP/iPNzVeh9RkfwdC7sQFuyrYz
jdwckkOvMzYIZj30crop1u2JYenKO6UdXjGrYCJsQqf+WRVpKMZmaEhw3h7w7Mvk
w+uJDKHLbiQBMxZUkQAx9rjvuCGI7GEfbByQ0W8JOq79Gm7B/r1ezBozZXYeuqPL
sCeUTGpwm+r8ZegNMnFmSKYTa4eH5ZTXoJL7b+5PxS//mbZIPEjhzb7Cyeas4yoe
Pft6jrDHirmPqhQ0mR5QG0q/OWLCCTUs5bs8b3sNZ40WH7VHkLeoqAQYkMh7eTs0
5nsADK++qRrgSNE9dqwkP9xp3TH1DuALieQZB13oOTWQRvD5S6jwffqloYA0qX4a
Dv4dJkGXPyBxhHcjmwJLZJw/NS2C0mSqSK34WRcBQE20tZExQX0nfrACvF3pLV37
8uQyAZcFg5ltf8BzvxJysoZs1cv8lEml0Xpn0goL2P4JKPcA7Zlr2KF3QcJZX1CS
56xxiKagJvRNUDxiPKMhkjD5azDYqayfeZ4V6KwZizo8lhBcREtogW8IoTuq+ZZu
0SCoPHxerq1kzfAMxXTGFWSOePqHBUvU8gW5LNxTtyXLguUhM7rUATQVL166FOVv
2OPhvUdMwxkHWgXMJrdtkt2aJ47fS+eSJeJofy/bPTD5fS+AzjoenGgq2SToTB1y
k74g8yQVdhdSnA7nJP5m
=y6vW
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5465 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160125/664d7243/attachment.bin>