> It is not apparent to me who is waiting on what right now.
I'm waiting on reviews, though Rajat suggested to me that I do a video session to explain the whole issue to facilitate reviews and assesment.
> * Could this be executed remotely?
Yes a normal user with normal credentials can exploit it.
> * What is the level of complexity to exploit?
Trivial.
Basically create a VM, attach one of your volumes to it, ask Cinder to delete the attachment record for the volume, then wait for another volume from any user to be attached to the same host and read the data.
This only works for iSCSI drivers that share targets, and some FC drivers.
> * Could an attacker exploit this multiple times and eventually gain control of all images within the OpenStack deployment?
The attacker would have access to volumes as long as they are present on the host.
So if owner of the volume detaches it, or the instance is migrated to another host, then access to the volume is lost.
* Attacker would need at least a basic user account right?
Hi Nick,
> It is not apparent to me who is waiting on what right now.
I'm waiting on reviews, though Rajat suggested to me that I do a video session to explain the whole issue to facilitate reviews and assesment.
> * Could this be executed remotely?
Yes a normal user with normal credentials can exploit it.
> * What is the level of complexity to exploit?
Trivial.
Basically create a VM, attach one of your volumes to it, ask Cinder to delete the attachment record for the volume, then wait for another volume from any user to be attached to the same host and read the data.
This only works for iSCSI drivers that share targets, and some FC drivers.
> * Could an attacker exploit this multiple times and eventually gain control of all images within the OpenStack deployment?
The attacker would have access to volumes as long as they are present on the host.
So if owner of the volume detaches it, or the instance is migrated to another host, then access to the volume is lost.
* Attacker would need at least a basic user account right?
Yes