Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <523B47D9.2020508@redhat.com>
Date: Thu, 19 Sep 2013 12:52:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        Thierry Carrez <thierry@...nstack.org>,
        Jeremy Stanley <jeremy@...nstack.org>
Subject: OpenStack: Glance image creation in other tenant accounts (CVE-2013-4354)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With apologies, I was supposed to send this out yesterday but missed
it. I spoke with upstream and we agreed that making this public does
not present a major risk.

- From https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4354

==========
Dafna Ron of Red Hat reports:

Description of problem:

when I try to create an image with tenant name and not tenant ID, the
image is not created and no errors are issued.
you simply cannot find the image.

Version-Release number of selected component (if applicable):

openstack-glance-2013.1.3-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. install AIO with local tgt storage (using packstack)
2. create a tenant and a user
3. create an image for the tenant using the tenant name
4. run glance image-list while logging in with user
5. run the same create command using tenant ID
6. run glance image-list while logging in with the user

Actual results:

image is no created with tenant name.
no errors or indicators that the image was not created.

Expected results:

image should be created with tenant name
if we decided not to allow create of image with tenant name we should
block the command from running with missing param error

========

Upon further investigation Flavio Percoco of Red Hat reports:

Ayal suggested this could also be a security issue. I went ahead and
tested current behavior and indeed, this behavior could be used to
inject images to other users.

Scenario:
- - Create an image using user1
- - Pick tenant's id of user2 and add it as a member of the image user1
just created
- - Use user2 to list images. This will list the image user1 created.

I think this is an issue because it allows user from other tenants to
sneak images with a backdoor to other tenants.
==========


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSO0fYAAoJEBYNRVNeJnmTrm4QAKP8lbvyPi6UbqGFDBcZbNcw
K8H9Qrg0IPR6P2cLJMpMN0RKkMlkPy7sHJZXx3Yg4ki2wJ39rq5/XyaMs0y3QvbX
OumUV9hw81CuODPbpT+n5qaIWShB2LWDUK5hOvezDAyjrQTt6F0BGvkDMFp8mEA5
IX074I5590GgrNRcr1YtJyRDEblP0Q6Xcm4Pla3ShuyH39Vj6TGQDhru5Pu/0WtU
9WrDmMC7koXLzcFPj3y7XUvhE6ftjlX/9Cnc8aYA+nLA4xMVlDPazprFmcf68pWc
VUWA6C2BtsQOA30tarzHSAdd0eKiGSQ7VqKhT0Kis8rrgA65EwXKZ8CecnVdTfy6
yTGINC18iBoqR4M9bRmVpDE5xawtM0cf1BUzZZEq3pGL6ZiuALWqhMjxXRFiWOaz
Lg+92OvopIBl+L0ncWXwC0IhBvmanBl4VzPItbNlMRmgyXLUNdlRuyDJzfWci6Z8
Uh4kyl/Xk3sqBgdJOyd+gS8IRxlsqxOitppkpScDFTc7yNXzrqLS+fe1Duhkrct6
g1tKmvrBvKzOqfglSxHmABR81YS5m3DRvSEGpKsNN1uest/hNpRpbVUUB0PbgD0I
UEeug7jmKwLe1igBXrctxrBc/RRtw5c1PmvlbXDFmt3tLpl0ar0d+iuPTdZQZzee
WaPgP+KUFohNJyS/2Ljn
=gLOM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.