security-doc/security-notes/OSSN-0060
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

52 lines
2.2 KiB
Plaintext

Glance configuration option can lead to privilege escalation
---
### Summary ###
Glance exposes a configuration option called `use_user_token` in the
configuration file `glance-api.conf`. It should be noted that the
default setting (`True`) is secure. If, however, the setting is
changed to `False` and valid admin credentials are supplied in the
following section (`admin_user` and `admin_password`), Glance API
commands will be executed with admin privileges regardless of the
intended privilege level of the calling user.
### Affected Services / Software ###
Glance, Juno, Kilo, Liberty
### Discussion ###
The `use_user_token` configuration option was created to enable
automatic re-authentication for tokens whch are close to expiration,
thus preventing the tokens from expiring in the middle of
longer-lasting Glance commands. Unfortunately the implementation
enables privilege escalation attacks by automatically executing API
commands as an administrator level user.
By default `use_user_token` is set to `True` which is secure. If the
option is disabled (set to `False`) and valid admin credentials are
specified in the `glance-api.conf` file, API commands will be executed
as the supplied admin user regardless of the intended privileges of the
calling user. Glance API v2 configurations which don't enable the
registry service (`data_api = glance.db.registry.api`) aren't affected.
Enabling unauthenticated and lower privileged users to execute Glance
commands with administrator privileges is very dangerous and may
expose risks including:
- tampering with images
- deleting images
- denial of service attacks
### Recommended Actions ###
A comprehensive fix will be included in the Mitaka release. Meanwhile
it is recommended that all users ensure that `use_user_token` is left
at the default setting (`True`) or commented out.
### Contacts / References ###
Author: Travis McPeak, HPE
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448
OpenStack Security Documentation : https://security.openstack.org
OpenStack Security Project : https://wiki.openstack.org/wiki/Security
Bug Introduction : https://review.openstack.org/#/c/29967/