[OSSN-0091] BMC emulators developed in OpenStack community do not preserve passwords on VMs

Jay Faulkner jay at gr-oss.io
Mon Oct 31 21:07:20 UTC 2022


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0090

The correct link to the OSSN is
https://wiki.openstack.org/wiki/OSSN/OSSN-0091. My apologies for the error.

- --
Jay Faulkner

On 2022-10-31 at 21:04, jay at gr-oss.io wrote:
> ## Summary ##
> When deploying VirtualBMC or Sushy-Tools in an unsupported,
production-like
> configuration, it can remove secret data, including VNC passwords, from a
> libvirt domain permanently. Operators impacted by this vulnerability must
> reconfigure any secret data, including VNC passwords, for the libvirt
> domain.
>
> These virtual machine emulators are tools to help emulate a physical
> machine's Baseboard Management Controller (BMC) to aid in development and
> testing of software that would otherwise require physical machines to
> perform integration testing activities. They are not intended or
supported
> for production or long-term use of any kind.
>
> ## Affected Services / Software ##
> * Sushy-Tools, <=0.21.0
> * VirtualBMC, <=2.2.2
>
> There is no impact to any OpenStack software or services intended for
> production use.
>
> ## Patches ##
> * VirtualBMC: https://review.opendev.org/c/openstack/virtualbmc/+/862620
> * Sushy-Tools:
https://review.opendev.org/c/openstack/sushy-tools/+/862625
>
> ## Discussion ##
> To perform some advanced operations on Libvirt virtual machines, the
> underlying XML document describing the virtual machine's domain must be
> extracted, modified, and then updated. These specific actions are for
> aspects such as "setting a boot device" (VirtualBMC, Sushy-Tools),
Setting
> a boot mode (Sushy-Tools), and setting a virtual media device
> (Sushy-Tools).
>
> This issue is triggered when a VM has any kind of "secure" information
> defined in the XML domain definition. If an operator deploys VirtualBMC
or
> Sushy-Tools to manage one of these libvirt VMs, the first time any action
> is performed that requires rewriting of the XML domain definition, all
> secure information -- including a VNC console password, if set -- is lost
> and removed from the domain definition, leaving the libvirt VM's exposed
to
> a malicious console user.
>
> ## Recommended Actions ##
> Operators who may have been impacted by this vulnerability should
> immediately remove use of VirtualBMC and/or Sushy-Tools from their
> production environment. Then, validate and if necessary, reconfigure
> passwords for VNC access or any other impacted secrets.
>
> ## Notes ##
> The OpenStack team will ensure documentation is updated to clearly state
> these software packages are intended for development/CI use only, and are
> not safe to run in production.
>
> ## Credits ##
> Julia Kreger from Red Hat
>
> ## References ##
> Author: Jay Faulkner, G-Research Open Source Software
> This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0090
> Original Storyboard bug:
https://storyboard.openstack.org/#!/story/2010382
> Mailing List : [Security] tag on openstack-discuss at lists.openstack.org
> OpenStack Security Project : https://launchpad.net/~openstack-ossg
> CVE: CVE-2022-44020
-----BEGIN PGP SIGNATURE-----
Version: FlowCrypt Email Encryption 8.3.8
Comment: Seamlessly send and receive encrypted email

wsFzBAEBCgAGBQJjYDkHACEJEGt12Tm0JMbUFiEEvF1YmsGLSYuWqE+ta3XZ
ObQkxtQIlQ/+OYBQY7DkwJkdZWKSXoaEAe2wyNwnnU9vbbJm/t13gg0h68/c
1zo7M9ZlvAO/lKPWB7GoWmV0wIFB+f70s8uZB4thDwheKV+99Sg7HHS6JzgU
xU5+1/cq4F/6Ht8bmh1FV2/6TLLTQfC36YzkG3eS/q8Dehxmji5zjZdlVAnb
ErLOS9/w8uWsXqHuY+jxM2evBt4wo8qmXgSzPpBRoYOC4Nx/jZQtN2sZmlfZ
b6nE+40LIvjKbrmT5lpGfytVuboqi9gHuAF/CWckJUNNd2GbEKcguAH5aRL2
3TO5X1myX+N8RrOoo5wxEjosH36Th4TrKNRDWTQqe3zSGS8s30H5Ryu82XkH
vZRncsg5p27VvL06Yrl2/uLUHzbLBJ7pJ07dhA2sjjTY46poix74xhwbde2I
DVP8OaHhumHWlU8yBEqapuNMhhU20BiwpFLijUhQhKnGfb9hw/ZNlYgT5Jh9
vEubBfKcw4FmZIwvXFVJGs0GwQxoVYravUx8bgQbK5tb/e3omlDj+VOKrVeV
uAp82/OLrgOvr6L0wCvFyJu+9uEMiPRuvJQJNKBNIv4ec4r9fpAEgcMlnFqo
YAIzpg1jfPWbCn154dvhOxguqNIPtu2SiLTmD2Vvg8mwJu7gEkRkTsiz6KXv
GdhY0ogG20TaqyfrKTDmddUgaleq+pD0VAk=
=2622
-----END PGP SIGNATURE-----



More information about the openstack-discuss mailing list