[Openstack] [OSSN 0038] Suds client subject to cache poisoning by local attacker

Nathan Kinder nkinder at redhat.com
Thu Dec 18 06:41:24 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suds client subject to cache poisoning by local attacker
- ---

### Summary ###
Suds is a Python SOAP client for consuming Web Services. Its default
cache implementation stores pickled objects to a predictable path in
/tmp. This can be used by a local attacker to redirect SOAP requests via
symlinks or run a privilege escalation or code execution attack.

### Affected Services / Software ###
Cinder, Nova, Grizzly, Havana, Icehouse

### Discussion ###
The Python 'suds' package is used by oslo.vmware to interface with SOAP
service APIs and both Cinder and Nova have dependencies on oslo.vmware
when using VMware drivers. By default suds uses an on-disk cache that
places pickle files, serialised Python objects, into a known location
'/tmp/suds'. A local attacker could use symlinks or place crafted files
into this location that will later be deserialised by suds.

By manipulating the content of the cached pickle files, an attacker can
redirect or modify SOAP requests. Alternatively, pickle may be used to
run injected Python code during the deserialisation process. This can
allow the spawning of a shell to execute arbitrary OS level commands
with the permissions of the service using suds, thus leading to possible
privilege escalation.

At the time of writing, the suds package appears largely unmaintained
upstream. However, vendors have released patched versions that do not
suffer from the predictable cache path problem. Ubuntu is known to offer
one such patched version (python-suds_0.4.1-2ubuntu1.1).

### Recommended Actions ###
The recommended solution to this issue is to disable cache usage in the
configuration as shown:

  'client.set_options(cache=None)'

A fix has been released to oslo.vmware (0.6.0) that disables the use of
the disk cache by default. Cinder and Nova have both adjusted their
requirements to include this fixed version. Deployers wishing to
re-enable the cache should ascertain whether or not their vendor
shipped suds package is susceptible and consider the above advice.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0038
Original Launchpad Bug : https://bugs.launchpad.net/ossn/+bug/1341954
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Suds: https://pypi.python.org/pypi/suds
CVE: CVE-2013-2217
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUkncUAAoJEJa+6E7Ri+EVFIcH/RiGaDTmkjGI9zlSebw8u0/3
1XJgi/XcptjkKDPXDB+gOwm6TBIAHHBTED36rS21Q77jeKn0yrz6YSsu17XA2j02
5E1I9U8fzkf2r0YYPd94d14MSi6qAIDIgqwXoMjMmk/utUnTywB26v+FVj+OnMem
wmcv/fgNP2YW2Erzl5khkjWZ9/hSjBNLH7kRU8ddLB3z3FIyjAOPTiJIomEIzJgw
VjGXNbi3eJrRptYXSocXtW6YPKY6aC42tGPF1OH/h9B3j90GwsFWy9Z2Vea+TkqO
rBEcd14XBF+IiS9g1tXyleciLcxw2Ty2+KkGoGlfP0cur2ALyZxU2dD7DoTTpyo=
=pG/1
-----END PGP SIGNATURE-----




More information about the Openstack mailing list