Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240723150019.ljs3rfx4dlzu56sm@yuggoth.org>
Date: Tue, 23 Jul 2024 15:00:19 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and
 regression for QCOW2 backing files and VMDK flat descriptors
 (CVE-2024-40767)

==================================================================
OSSA-2024-002: Incomplete file access fix and regression for QCOW2
               backing files and VMDK flat descriptors
==================================================================

:Date: July 23, 2024
:CVE: CVE-2024-40767

Affects
~~~~~~~
- Nova: <27.4.1, >=28.0.0 <28.2.1, >=29.0.0 <29.1.1

Description
~~~~~~~~~~~
Arnaud Morin (OVH) reported a vulnerability in Nova. By supplying a
raw format image which is actually a specially crafted QCOW2 image
with a backing file path or VMDK flat image with a descriptor file
path, an authenticated user may convince systems to return a copy of
the referenced file’s contents from the server resulting in
unauthorized access to potentially sensitive data. All Nova
deployments are affected.

Patches
~~~~~~~
- https://review.opendev.org/924734 (2023.1/antelope)
- https://review.opendev.org/924733 (2023.2/bobcat)
- https://review.opendev.org/924732 (2024.1/caracal)
- https://review.opendev.org/924731 (2024.2/dalmatian)

Credits
~~~~~~~
- Arnaud Morin from OVH (CVE-2024-40767)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2071734
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40767

Notes
~~~~~
- The patches linked above should apply cleanly to the public state
  of their respective branches at time of disclosure, and depend on
  some commits which merged after the `OSSA-2024-001
  <https://security.openstack.org/ossa/OSSA-2024-001.html>`_ fixes
  as well as the final states of the Nova changes linked from that
  advisory (those did see some minor adjustments before they
  merged).
- The QCOW2 issue is due to an incomplete fix in OSSA-2024-001
  affecting systems where the ``use_cow_images`` configuration
  option is disabled, while the VMDK issue is a regression of the
  earlier `OSSA-2023-002
  <https://security.openstack.org/ossa/OSSA-2023-002.html>`_
  vulnerability reintroduced by the new implementation in
  OSSA-2024-001. Both problems were identified in the final hours
  before OSSA-2024-001 publication but, due to time constraints,
  were redacted from that bug and moved to a separate report.
- Neither the methods introduced in these patches nor the fixes for
  OSSA-2024-001 are capable of blocking malicious images which are
  already resident in Nova's cache. At this time we do not have
  useful operator guidance for identifying and removing such
  existing images from the cache but strongly caution, if you do
  attempt to use the qemu-img tool to find them, to make sure you're
  using a version of it patched for `QEMU CVE-2024-4467
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467>`_.

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.