[Openstack] [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
Eric Windisch
eric at cloudscaling.com
Wed Aug 8 04:33:57 UTC 2012
>
>
> What's the security vulnerability here? Its writing to something which
> might be a symlink to somewhere special, right?
>
Mounting filesystems tends to be a source of vulnerabilities in and of
itself. There are userspace tools as an alternative, but a standard OS
mount is clearly not secure. While libguestfs is such a userspace
alternative, and guestmount is in some ways safer than a standard mount, it
is not used by Nova in a way that has any clear advantage to a standard
mount as it runs as root.
As this CVE indicates, injecting data into a mounted filesystem has its own
problems, whether or not that filesystem is mounted directly in-kernel or
via FUSE. There are also solutions here, some very complex, few if any are
foolproof.
The solution here may be to use libguestfs, which seems to be a modern
alternative to mtools, but to use it as a non-privileged user and to forego
any illusions of mounting the filesystem anywhere via the kernel or FUSE.
--
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120808/c58ce5e7/attachment.html>
More information about the Openstack
mailing list