Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20141014050153.40A61C50618@smtptsrv1.mitre.org>
Date: Tue, 14 Oct 2014 01:01:53 -0400 (EDT)
From: cve-assign@...re.org
To: jeremy@...nstack.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for vulnerability in OpenStack Nova

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Title: Nova VMware driver may connect VNC to another tenant's console
> Products: Nova
> Versions: up to 2014.1.3
> 
> Marcio Roberto Starke reported a vulnerability in the Nova VMware
> driver. A race condition in its VNC port allocation may cause it to
> connect the wrong console if instances are created concurrently. By
> repeatedly spawning new instances, an authenticated user may be able
> to gain unauthorized console access to instances belonging to other
> tenants. Only Nova setups using the VMware driver and the VNC proxy
> service are affected.
> 
> References:
> https://launchpad.net/bugs/1357372


> When spawning some instances, nova VMware driver could have a race
> condition in VNC port allocation. Although the get_vnc_port function
> has a lock it not guarantee that the whole vnc port allocation process
> is locked, so another instance could receive the same port if it
> requests the VNC port before nova has finished the vnc port allocation
> to another VM.
> 
> If the instances with the same VNC port are allocated in same host it
> could lead to a improper access to the instance console.
> 
> Reproduce the problem: Launch two or more instances at same time. In
> some cases one instance could execute the get_vnc_port and pick a port
> but before this instance has finished the _set_vnc_config another
> instance could execute get_vnc_port and pick the same port.


> it looks like something an attacker could probably leverage repetition
> to eventually exploit

Use CVE-2014-8750.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUPK2FAAoJEKllVAevmvmsOTUH/isfHZzy4mfdTu7EE01YniVy
+b0iupyj0AG/bx7c1lhoBhLYaPnY2wvBscVG7tBnkTUzpT0RJgluX2PG81eKqYoU
e/SXRWWzkHupSKY5G8ipmfUFPzKikjmVHXgXmdd91zx5RIsrbnxH8YQAJX3rdHJA
r7RY6Ah5oK7lEw2aLAvv2vCL0BsInTJMTGRDNXJElCukOJoA3rSlHsGoO1Ri+Bcw
trOKC40cIVmlU7BlpJzXTYsA6th2rOZmhj/5oKY38N3HVB+O0n85a+fhudJhgHQH
oApL8mqeg9yYveJr1dPNf7/+gvKNkQL9SHkeJ53kSupAHJTced8/JWfYLoc+DLk=
=2d5e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.