[Openstack-security] [Bug 1649248] Re: Glance image upload wizard does not restrict invalid image files

Luke Hinds lhinds at redhat.com
Wed Mar 15 10:16:56 UTC 2017


Hmm, I am not even sure this constitutes an OSSN. Its kind of obvious
that if you publicly expose a service which can store objects, then its
fair game for people to dump bad content there.

This is going to be yet another 'rate limit / set rbac to admin' OSSN,
which we are now doing on a monthly basis. This is covered in the
security guide [1]

https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-
configuration-recommendations.html

I would say unless there is some sort of execution / escalation exploit
like Ian describes, then this is wish list or recommend a patch to the
sec guide.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649248

Title:
  Glance image upload wizard does not restrict invalid image files

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  An unrestricted file upload exists when an application allows users to upload files without proper validation. glance fails to properly validate image files across four key factors including file extension, mime-type, size, and upload frequency. In addition, glance does not appear to scan uploaded files for known malware.
  Failing to restrict file uploads affects the security of the OpenStack environment in a number of ways. Attacker may commonly use file upload functionality to upload viruses or malware onto trusted servers. In addition to spreading malware, attacker can upload source code files (.aspx and .jsp for example) which may be rendered as valid application pages to end users. Additionally, if users are able to upload files of any size or at any frequency, an attacker may abuse this functionality to exhaust the server’s disk space.

  Steps To Reproduce:
  1. Login to the OpenStack as an admin
  2. Click on Images tab and create a new image by uploading a EICAR text file with anti-malware string (EICAR anti-malware test file can be downloaded from http://www.eicar.org/ )
  3. Observe that file is uploaded successfully without any pre-checks being done.

  The application should validate uploaded files for type and size, and
  limit how often the user is able to perform uploads. The following
  validation can be performed:

  a) If the application requires uploaded files to be of a specific type such as img, vmdk, the application should validate the extension.
  b) The first four bytes of the file i.e. Magic Numbers can be validated. These first few bytes are known as the file’s ‘Magic Number’ and will uniquely identify the file type. For example all PDF files start with the byte-sequence ‘%PDF’.
  c) An upper limit on file size can be enforced.

  In addition to the primary criteria above, all uploaded files should
  be scanned for known malware/viruses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1649248/+subscriptions




More information about the Openstack-security mailing list