1bf55f1eb0
All OSSN authors, added under the "Author:" metadata field Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a Closes-Bug: #1599064
73 lines
3.0 KiB
Plaintext
73 lines
3.0 KiB
Plaintext
Multiple Cinder drivers set insecure file permissions
|
|
---
|
|
|
|
### Summary ###
|
|
Several Cinder volume drivers set insecure file permissions for various
|
|
files and directories. These permissions render the files accessible for
|
|
read and write to any user with access to the Cinder host as well as any
|
|
processes running on it. This exposes user block storage data to
|
|
potential disclosure, corruption, or destruction.
|
|
|
|
### Affected Services / Software ###
|
|
Cinder, Folsom, Grizzly, Havana, Icehouse
|
|
|
|
### Discussion ###
|
|
Several Cinder drivers set file permissions that allow read and write
|
|
access to 'group' and 'others'. Affected drivers include:
|
|
|
|
- GPFS
|
|
- GlusterFS
|
|
- Huawei
|
|
- NetApp/NFS
|
|
- Nexenta
|
|
- NFS
|
|
- Scality
|
|
|
|
Essentially, user volumes are made accessible to all who have access to
|
|
the Cinder host. Daemons running on the host are also able to access the
|
|
affected user volumes. The relaxed file permissions can be exploited to
|
|
disclose, modify, corrupt, or destroy user volume data.
|
|
|
|
All versions of Cinder are vulnerable in Icehouse and earlier releases
|
|
with a single exception: systems using the Icehouse GPFS driver.
|
|
|
|
This issue was reported by Dirk Mueller of SUSE.
|
|
|
|
### Recommended Actions ###
|
|
The GPFS driver in the Icehouse release fixes the file permissions issue
|
|
and also executes shell commands in non-root mode where possible.
|
|
Unfortunately, it is not practical to back-port the fix for the GPFS
|
|
driver to earlier OpenStack releases. It is anticipated that the other
|
|
affected drivers will be fixed in the OpenStack Juno release.
|
|
|
|
It is not possible to simply modify the file permissions to mitigate
|
|
the issue, as several of the affected drivers currently require the
|
|
relaxed file permissions to function. Additionally, file manipulation
|
|
cannot be uniformly restricted to a non-root user because often times a
|
|
file may be created on one host using one uid, but mounted on another
|
|
host using a different uid.
|
|
|
|
You can check what drivers are being used by Cinder by executing the
|
|
following command on your Cinder host:
|
|
|
|
> grep "^volume_driver" /etc/cinder/cinder.conf
|
|
|
|
You should compare the results of the above command against the list of
|
|
known vulerable drivers in the "Discussion" section above to see if you
|
|
are affected. If you are running the Icehouse version of Cinder and the
|
|
GPFS driver is the only driver in use, your Cinder system is not
|
|
vulnerable to this issue.
|
|
|
|
In the likely scenario that your system is vulnerable, you should limit
|
|
access to the Cinder host as much as possible. You should also explore
|
|
alternatives such as applying mandatory access control policies
|
|
(SELinux, AppArmor, etc) or using NFS uid squashing to control access
|
|
to the files in order to minimize the possible exposure.
|
|
|
|
### Contacts / References ###
|
|
Author: Nathan Kinder, Red Hat
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0014
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1260679
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|