[OSSA 2012-011] CVE-2012-3361 not fully addressed

Adding Vish and MarkMC since this /may/ delay 2012.1.2.

Yes, since we do all file injection as root, we need to do the path canonicalization as root. Uggh.

I think it makes sense to delay 2012.1.2 - it seems wrong to do a release claiming it fixes CVE-2012-3361 while we know the fix is incomplete.

Patch looks good to me - though if you reverted the s/absolute_path/abs_path/ it make the straightforward nature of the change more obvious

Looks like 'readlink -m' has been around since 2004, so no concerns about its availability

folsom patch

essex patch

diablo patch.

Note this must be applied after https://review.openstack.org/#/c/9268/
which has been abondoned due to gating issues.

Note also that this requires users to update their nova sudoers
file to include 'readlink'

Please confirm patches and approve proposed impact description. Will be published as an ERRATA to OSSA-2012-008 if it gets the same CVE, and as a separate advisory if it gets a new CVE...

Title: OSSA-2012-008 ERRATA: Incomplete fix
Impact: Critical
Reporter: Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions

Description:
Pádraig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting an instance based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.

Additional fixes needed:
...

Description in comment 7 looks good.

Thanks!

As announcements went out for the incomplete fix (openstack OSSA-2012-008, Ubuntu USN 1501-1), MITRE will likely want a separate CVE issued for the complete fix, so that users can be assured that vendors have addressed both elements of the issue.

(As an example of how a similar issue was handled with php, see http://www.openwall.com/lists/oss-security/2012/05/09/6 ; specifically the handling of CVE-2012-2311 and CVE-2012-NEW-2, which later in the email thread was assigned as CVE-2012-2336.)

Thanks Steve. Adjusted title/description to match:

Title: Compute node filesystem injection/corruption
Impact: Critical
Reporter: Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions

Description:
Pádraig Brady from Red Hat discovered that the fix implemented for CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By crafting a malicious image with root-readable-only symlinks and requesting a server based on it, an authenticated user could still corrupt arbitrary files (all setups affected) or inject arbitrary files (Essex and later setups with OpenStack API enabled and a libvirt-based hypervisor) on the host filesystem, potentially resulting in full compromise of that compute node.

Patches look good to me

I wondered why rootwrap didn't need updating in Folsom, but I see we have readlink in compute.filters already - might be good to add 'readlink -m' to the comment ... that'll help people realize that you didn't overlook rootwrap

Looks good to me too. Nice one.

Patches and advisory look good to me, too.

Sent to downstream stakeholders.

Proposed public disclosure date/time:
*Tuesday August 7th, 1500UTC*

issue was assigned CVE-2012-3447

Prepared for 1500 UTC release:
Folsom: https://review.openstack.org/#/c/10951/
Essex: https://review.openstack.org/#/c/10952/
Diablo: https://review.openstack.org/#/c/10953/

Adding a few more subscribers to help in coordinating disclosure.

Published patches, opened bugs

Reviewed: https://review.openstack.org/10951
Committed: http://github.com/openstack/nova/commit/ce4b2e27be45a85b310237615c47eb53f37bb5f3
Submitter: Jenkins
Branch: master

commit ce4b2e27be45a85b310237615c47eb53f37bb5f3
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:05:35 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Reviewed: https://review.openstack.org/10952
Committed: http://github.com/openstack/nova/commit/d9577ce9f266166a297488445b5b0c93c1ddb368
Submitter: Jenkins
Branch: stable/essex

commit d9577ce9f266166a297488445b5b0c93c1ddb368
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:05:35 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Reviewed: https://review.openstack.org/10953
Committed: http://github.com/openstack/nova/commit/ed89587d525e0214cb367aa4632df45903c6ac09
Submitter: Jenkins
Branch: stable/diablo

commit ed89587d525e0214cb367aa4632df45903c6ac09
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:34:19 2012 +0100

    Prohibit file injection writing to host filesystem

    This is a refinement of the previous fix in commit 2427d4a9,
    which does the file name canonicalization as the root user.
    This is required so that guest images could not for example,
    protect malicious symlinks in a directory only readable by root.

    Note this requires adding the 'readlink' binary to the
    nova sudoers file.

    Fixes bug: 1031311, CVE-2012-3447
    Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c

Ubuntu 12.04 LTS was fixed in http://www.ubuntu.com/usn/usn-1545-1/

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Nova has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/10951
Stable review: https://review.openstack.org/10952

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Test coverage log.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.