[Openstack-security] [Bug 1649248] Re: Glance image upload wizard does not restrict invalid image files

Tristan Cacqueray tdecacqu at redhat.com
Wed Mar 15 05:02:26 UTC 2017 

Opening this report and adding an OSSN task based on above comments.

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  An unrestricted file upload exists when an application allows users to upload files without proper validation. glance fails to properly validate image files across four key factors including file extension, mime-type, size, and upload frequency. In addition, glance does not appear to scan uploaded files for known malware.
  Failing to restrict file uploads affects the security of the OpenStack environment in a number of ways. Attacker may commonly use file upload functionality to upload viruses or malware onto trusted servers. In addition to spreading malware, attacker can upload source code files (.aspx and .jsp for example) which may be rendered as valid application pages to end users. Additionally, if users are able to upload files of any size or at any frequency, an attacker may abuse this functionality to exhaust the server’s disk space.
  
  Steps To Reproduce:
  1. Login to the OpenStack as an admin
  2. Click on Images tab and create a new image by uploading a EICAR text file with anti-malware string (EICAR anti-malware test file can be downloaded from http://www.eicar.org/ )
  3. Observe that file is uploaded successfully without any pre-checks being done.
  
  The application should validate uploaded files for type and size, and
  limit how often the user is able to perform uploads. The following
  validation can be performed:
  
  a) If the application requires uploaded files to be of a specific type such as img, vmdk, the application should validate the extension.
  b) The first four bytes of the file i.e. Magic Numbers can be validated. These first few bytes are known as the file’s ‘Magic Number’ and will uniquely identify the file type. For example all PDF files start with the byte-sequence ‘%PDF’.
  c) An upper limit on file size can be enforced.
  
  In addition to the primary criteria above, all uploaded files should be
  scanned for known malware/viruses.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Private Security to Public

** Also affects: ossn
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649248

Title:
  Glance image upload wizard does not restrict invalid image files

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  An unrestricted file upload exists when an application allows users to upload files without proper validation. glance fails to properly validate image files across four key factors including file extension, mime-type, size, and upload frequency. In addition, glance does not appear to scan uploaded files for known malware.
  Failing to restrict file uploads affects the security of the OpenStack environment in a number of ways. Attacker may commonly use file upload functionality to upload viruses or malware onto trusted servers. In addition to spreading malware, attacker can upload source code files (.aspx and .jsp for example) which may be rendered as valid application pages to end users. Additionally, if users are able to upload files of any size or at any frequency, an attacker may abuse this functionality to exhaust the server’s disk space.

  Steps To Reproduce:
  1. Login to the OpenStack as an admin
  2. Click on Images tab and create a new image by uploading a EICAR text file with anti-malware string (EICAR anti-malware test file can be downloaded from http://www.eicar.org/ )
  3. Observe that file is uploaded successfully without any pre-checks being done.

  The application should validate uploaded files for type and size, and
  limit how often the user is able to perform uploads. The following
  validation can be performed:

  a) If the application requires uploaded files to be of a specific type such as img, vmdk, the application should validate the extension.
  b) The first four bytes of the file i.e. Magic Numbers can be validated. These first few bytes are known as the file’s ‘Magic Number’ and will uniquely identify the file type. For example all PDF files start with the byte-sequence ‘%PDF’.
  c) An upper limit on file size can be enforced.

  In addition to the primary criteria above, all uploaded files should
  be scanned for known malware/viruses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1649248/+subscriptions

More information about the Openstack-security mailing list