[Openstack-security] [Bug 1649248] Re: Glance image upload wizard does not restrict invalid image files

Luke Hinds lhinds at redhat.com
Thu Mar 16 17:26:35 UTC 2017


After discussing this in the OSSP meeting, I will mark this as won't fix
for the OSSN, as we already have covered this the recommended actions in
several previous OSSNs. There is also a good amount of info in the
security guide around protecting end points and access controls
available for glance.

** Changed in: ossn
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1649248

Title:
  Glance image upload wizard does not restrict invalid image files

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Won't Fix

Bug description:
  An unrestricted file upload exists when an application allows users to upload files without proper validation. glance fails to properly validate image files across four key factors including file extension, mime-type, size, and upload frequency. In addition, glance does not appear to scan uploaded files for known malware.
  Failing to restrict file uploads affects the security of the OpenStack environment in a number of ways. Attacker may commonly use file upload functionality to upload viruses or malware onto trusted servers. In addition to spreading malware, attacker can upload source code files (.aspx and .jsp for example) which may be rendered as valid application pages to end users. Additionally, if users are able to upload files of any size or at any frequency, an attacker may abuse this functionality to exhaust the server’s disk space.

  Steps To Reproduce:
  1. Login to the OpenStack as an admin
  2. Click on Images tab and create a new image by uploading a EICAR text file with anti-malware string (EICAR anti-malware test file can be downloaded from http://www.eicar.org/ )
  3. Observe that file is uploaded successfully without any pre-checks being done.

  The application should validate uploaded files for type and size, and
  limit how often the user is able to perform uploads. The following
  validation can be performed:

  a) If the application requires uploaded files to be of a specific type such as img, vmdk, the application should validate the extension.
  b) The first four bytes of the file i.e. Magic Numbers can be validated. These first few bytes are known as the file’s ‘Magic Number’ and will uniquely identify the file type. For example all PDF files start with the byte-sequence ‘%PDF’.
  c) An upper limit on file size can be enforced.

  In addition to the primary criteria above, all uploaded files should
  be scanned for known malware/viruses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1649248/+subscriptions




More information about the Openstack-security mailing list