From a0c7593063ec444b31771bf7efef277f6625c65d Mon Sep 17 00:00:00 2001 From: Travis McPeak Date: Mon, 25 Jan 2016 08:10:51 -0800 Subject: [PATCH] Adding OSSN-0060 This commit adds security note OSSN-0060 about an insecure glance setting which enables escalation to admin level API privileges. Change-Id: I5eba5cdc0e62e18771b236e2ec6dd9c0baf0ddb1 --- security-notes/OSSN-0060 | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 security-notes/OSSN-0060 diff --git a/security-notes/OSSN-0060 b/security-notes/OSSN-0060 new file mode 100644 index 00000000..8796addf --- /dev/null +++ b/security-notes/OSSN-0060 @@ -0,0 +1,50 @@ +Glance configuration option can lead to privilege escalation +--- + +### Summary ### +Glance exposes a configuration option called `use_user_token` in the +configuration file `glance-api.conf`. It should be noted that the +default setting (`True`) is secure. If, however, the setting is +changed to `False` and valid admin credentials are supplied in the +following section (`admin_user` and `admin_password`), Glance API +commands will be executed with admin privileges regardless of the +intended privilege level of the calling user. + +### Affected Services / Software ### +Glance, Juno, Kilo, Liberty + +### Discussion ### + +The `use_user_token` configuration option was created to enable +automatic re-authentication for tokens whch are close to expiration, +thus preventing the tokens from expiring in the middle of +longer-lasting Glance commands. Unfortunately the implementation +enables privilege escalation attacks by automatically executing API +commands as an administrator level user. + +By default `use_user_token` is set to `True` which is secure. If the +option is disabled (set to `False`) and valid admin credentials are +specified in the `glance-api.conf` file, API commands will be executed +as the supplied admin user regardless of the intended privileges of the +calling user. Glance API v2 configurations which don't enable the +registry service (`data_api = glance.db.registry.api`) aren't affected. + +Enabling unauthenticated and lower privileged users to execute Glance +commands with administrator privileges is very dangerous and may +expose risks including: + + - tampering with images + - deleting images + - denial of service attacks + +### Recommended Actions ### +A comprehensive fix will be included in the Mitaka release. Meanwhile +it is recommended that all users ensure that `use_user_token` is left +at the default setting (`True`) or commented out. + +### Contacts / References ### +This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060 +Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448 +OpenStack Security Documentation : https://security.openstack.org +OpenStack Security Project : https://wiki.openstack.org/wiki/Security +Bug Introduction : https://review.openstack.org/#/c/29967/