Adding OSSN-0060
This commit adds security note OSSN-0060 about an insecure glance setting which enables escalation to admin level API privileges. Change-Id: I5eba5cdc0e62e18771b236e2ec6dd9c0baf0ddb1
This commit is contained in:
Travis McPeak
50
security-notes/OSSN-0060
Normal file
50
security-notes/OSSN-0060
Normal file
@@ -0,0 +1,50 @@
|
|||||||
|
Glance configuration option can lead to privilege escalation
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
Glance exposes a configuration option called `use_user_token` in the
|
||||||
|
configuration file `glance-api.conf`. It should be noted that the
|
||||||
|
default setting (`True`) is secure. If, however, the setting is
|
||||||
|
changed to `False` and valid admin credentials are supplied in the
|
||||||
|
following section (`admin_user` and `admin_password`), Glance API
|
||||||
|
commands will be executed with admin privileges regardless of the
|
||||||
|
intended privilege level of the calling user.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Glance, Juno, Kilo, Liberty
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
|
||||||
|
The `use_user_token` configuration option was created to enable
|
||||||
|
automatic re-authentication for tokens whch are close to expiration,
|
||||||
|
thus preventing the tokens from expiring in the middle of
|
||||||
|
longer-lasting Glance commands. Unfortunately the implementation
|
||||||
|
enables privilege escalation attacks by automatically executing API
|
||||||
|
commands as an administrator level user.
|
||||||
|
|
||||||
|
By default `use_user_token` is set to `True` which is secure. If the
|
||||||
|
option is disabled (set to `False`) and valid admin credentials are
|
||||||
|
specified in the `glance-api.conf` file, API commands will be executed
|
||||||
|
as the supplied admin user regardless of the intended privileges of the
|
||||||
|
calling user. Glance API v2 configurations which don't enable the
|
||||||
|
registry service (`data_api = glance.db.registry.api`) aren't affected.
|
||||||
|
|
||||||
|
Enabling unauthenticated and lower privileged users to execute Glance
|
||||||
|
commands with administrator privileges is very dangerous and may
|
||||||
|
expose risks including:
|
||||||
|
|
||||||
|
- tampering with images
|
||||||
|
- deleting images
|
||||||
|
- denial of service attacks
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
A comprehensive fix will be included in the Mitaka release. Meanwhile
|
||||||
|
it is recommended that all users ensure that `use_user_token` is left
|
||||||
|
at the default setting (`True`) or commented out.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448
|
||||||
|
OpenStack Security Documentation : https://security.openstack.org
|
||||||
|
OpenStack Security Project : https://wiki.openstack.org/wiki/Security
|
||||||
|
Bug Introduction : https://review.openstack.org/#/c/29967/
|
||||||
Reference in New Issue
Block a user