Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002f0d92-d247-bbec-cb7b-4709a5f5b195@gmail.com>
Date: Wed, 4 Sep 2024 11:52:07 -0400
From: Brian Rosmaita <rosmaita.fossdev@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to
 qemu-img (CVE-2024-44082)

========================================================
OSSA-2024-003: Unvalidated image data passed to qemu-img
========================================================

:Date: September 04, 2024
:CVE: CVE-2024-44082


Affects
~~~~~~~
- Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1
- Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0
<9.13.1


Description
~~~~~~~~~~~
Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research
noticed a vulnerability in image processing for Ironic, in which a
specially crafted image could be used by an authenticated user to
exploit undesired behaviors in qemu-img, including possible unauthorized
access to potentially sensitive data.

Mitigation
----------
The attached patches contain code allowing Ironic and the
Ironic-Python-Agent (IPA) to pre-screen images before passing them to
qemu-img.  You should patch both of them because in some popular
deployment configurations, it is possible for images to bypass the
Ironic conductor for more efficient image downloads.

In situations where it is not possible to patch IPA, there is a new
configuration option, ``[conductor]conductor_always_validates_images``.
When this option is True, all image downloads are forced to occur
through the Ironic conductor, where they are validated.  However, this
may incur a significant performance hit; hence our recommendation to
patch both Ironic and IPA.

Patches are available for both Ironic and IPA for all maintained
branches, namely, the Dalmatian development branch (current master)
through Antelope. For these branches,
``conductor_always_validates_images`` defaults to False.

For the unmaintained branches (Zed through Victoria), patches are not
available for IPA due to a significant risk of regressions.  For these
branches, the Ironic patches set ``conductor_always_validates_images``
to True, as this is the only safe way to run Ironic with an un-patched
IPA.

Cached images
-------------
Images in the Ironic image cache should be purged.  To purge the cache,
stop the Ironic conductor and remove the files in the
``[pxe]/instance_master_path`` directory on that conductor node.

Supported image formats
-----------------------
A new configuration option, ``[conductor]permitted_image_formats``
controls what image formats will be accepted by Ironic.  By default, the
allowed formats are 'raw' and 'qcow2', which are the only formats that
Ironic is tested with.  In previous releases, it was possible to use
images of other, unsupported formats with Ironic, but this is now
blocked by default due to security issues arising from the image
conversion process.  It is possible, though not recommended, to expand
the list of permitted formats.  Alternatively, users requiring the use
of an image in an unsupported format can convert the image offline into
a supported format before uploading the image to Glance or otherwise
making the image available to Ironic.  Consult the Ironic documentation
for details.

Warning
-------
As is well-documented, the OpenStack Ironic project does not support the
use of ironic-lib for non-Ironic use cases.  In its normal supported
context, ironic-lib assumes that images have been pre-screened before
ironic-lib comes in contact with them.  Thus, unsupported use of
ironic-lib leaves you vulnerable to the exploit outlined in this OSSA.

The Ironic project intends eventually to explicitly remove the
vulnerable methods in ironic-lib, but reminds the reader that
independent use of ironic-lib is not supported.

Bugfix branches
---------------
Patches are available for maintained bugfix branches.  These patches
will be merged to the maintained branches, but no new releases will be
triggered from those branches.




Patches
~~~~~~~
- https://review.opendev.org/927972 (2023.1/antelope(ironic))
- https://review.opendev.org/927979 (2023.1/antelope(ironic-python-agent))
- https://review.opendev.org/927970 (2023.2/bobcat(ironic))
- https://review.opendev.org/927978 (2023.2/bobcat(ironic-python-agent))
- https://review.opendev.org/927968 (2024.1/caracal(ironic))
- https://review.opendev.org/927976 (2024.1/caracal(ironic-python-agent))
- https://review.opendev.org/927965 (2024.2/dalmatian(ironic))
- https://review.opendev.org/927974 (2024.2/dalmatian(ironic-python-agent))
- https://review.opendev.org/927969 (Bugfix/24.0 (ironic))
- https://review.opendev.org/927967 (Bugfix/25.0 (ironic))
- https://review.opendev.org/927966 (Bugfix/26.0 (ironic))
- https://review.opendev.org/927983 (Bugfix/9.12 (ironic-python-agent))
- https://review.opendev.org/927981 (Bugfix/9.13 (ironic-python-agent))
- https://review.opendev.org/927984 (Bugfix/9.9 (ironic-python-agent))
- https://review.opendev.org/927982 (Unmaintained/victoria(ironic))
- https://review.opendev.org/927980 (Unmaintained/wallaby(ironic))
- https://review.opendev.org/927977 (Unmaintained/xena(ironic))
- https://review.opendev.org/927975 (Unmaintained/yoga(ironic))
- https://review.opendev.org/927973 (Unmaintained/zed(ironic))


Credits
~~~~~~~
- Dan Smith from Red Hat (CVE-2024-44082)
- Jay Faulkner from G-Research (CVE-2024-44082)
- Julia Kreger from Red Hat (CVE-2024-44082)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2071740
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44082


Notes
~~~~~
- For more information about the unadvisability of calling 'qemu-img
   info' on untrusted images, see CVE-2024-04467.
- The ironic unmaintained/* branches will receive no point releases, but
   patches for them are provided as a courtesy.
- The ironic-python-agent unmaintained/* branches will receive no point
   releases, nor are patches for them available.
- The ironic and ironic-python-agent bugfix/* branches will receive no
   point releases, but patches for them are provided as a courtesy.

--
Brian Rosmaita
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html


Download attachment "OpenPGP_0xE834C62762D8856C.asc" of type "application/pgp-keys" (678 bytes)

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.