[Openstack-security] [Bug 1554288] Re: [FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability Notification
Jeremy Stanley
fungi at yuggoth.org
Tue Mar 29 15:40:26 UTC 2016
Since there are no objections, I'm switching this to public and marking
as a hardening opportunity.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1554288
Title:
[FG-VD-16-015] Openstack Glance Authenticated User DoS Vulnerability
Notification
Status in Glance:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
--
Vulnerability Notification
March 7, 2016
Tracking Case #: FG-VD-16-015
Dear Openstack,
The following information pertains to information discovered by
Fortinet's FortiGuard Labs. It has been determined that a
vulnerability exists in Openstack Glance module. To streamline the
disclosure process, we have created a preliminary advisory which you
can find below. This upcoming advisory is purely intended as a
reference, and does not contain sensitive information such as proof of
concept code.
As a mature corporation involved in security research, we strive to
responsibly disclose vulnerability information. We will not post an
advisory until we determine it is appropriate to do so in co-
ordination with the vendor unless a resolution cannot be reached. We
will not disclose full proof of concept, only details relevant to the
advisory.
We look forward to working closely with you to resolve this issue, and
kindly ask for your co-operation during this time. Please let us know
if you have any further questions, and we will promptly respond to
address any issues.
If this message is not encrypted, it is because we could not find your
key to do so. If you have one available for use, please notify us and
we will ensure that this is used in future correspondence. We ask you
use our public PGP key to encrypt and communicate any sensitive
information with us. You may find the key on our FortiGuard center at:
http://www.fortiguard.com/pgp_key.html.
Type of Vulnerability & Repercussions:
DoS
Affected Software:
Ubuntu 14.04.3 with latest repository installed
# apt-get install software-properties-common
# add-apt-repository cloud-archive:liberty
Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html
Credits:
This vulnerability was discovered by Fortinet's FortiGuard Labs.
Proof of Concept/How to Reproduce:
1. Run script "sh curl_get_token_demo_work.txt" to get a valid non-admin or admin user token. Need to replace "tenantName", "username", "password" with your Openstack credential.
2. Open script glance_DoS.py, and replace the line 30 "x-auth-token" value with the above token value, also replace the IP in url "http://10.0.0.11:9191/images" with your Openstack control node IP address.
3. Run script glance_DoS.py which will keep running forever. You can check the images added by the script using console command "glance image-list" or clicking Dashboard images column. You will notice you cannnot delete the images added by the script. It prompts failure. Refer to the screenshots glance_cli_delete_fail.png and dashboard_delete_garbage_image_fail.png.
4. Because either non-admin or admin user cannot delete the garbage images, with the above PoC running forever, more and more garbage images are added. So finally DoS can be caused because resource is exhausted or glance database query is very very slow.
Notes:
1) Run the PoC glance_DoS.py in Windows 7.
Additional Information:
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1554288/+subscriptions
More information about the Openstack-security
mailing list