For optimal reading, please switch to desktop mode.
Many OpenStack clouds provide flexible services that depend on key infrastructure components such as ssh for command-line access and qcow2 for software images. This week, the open source community has been reacting to disclosures of two important vulnerabilities in these components, which will have widespread impact.
OpenSSH
A significant vulnerability in OpenSSH was announced on 1st July 2024, with CVE identifier CVE-2024-6387. This vulnerability could allow an attacker to bypass authentication and gain access to a system via SSH without proper credentials. The attack is complex and requires very precise timing to succeed. Given sufficient time and perseverance, it eventually will.
RHEL 9, Rocky Linux 9, FedoraCoreOS 34-40 and Ubuntu 22.04 are all known to be affected:
- https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-2024-6378-regression
- https://ubuntu.com/security/CVE-2024-6387
This vulnerability affects every point of contact between the cloud and its external network where the ssh port is exposed. This could include:
- SSH-enabled guest VMs.
- Management servers for a Kubernetes Cluster API management cluster.
- OpenStack control plane servers.
- OpenStack management servers.
Services that are not directly accessible from the internet are mitigated (to an extent).
For the OpenStack control plane and management services, updated SSH packages are available for Ubuntu 22.04. For Rocky Linux 9, updated SSH packages are available in a security repo for Rocky Linux 9.4.
Alternatively a configuration mitigation (further described in the links above), which is effective for all distributions.
In sshd_config set the following parameter:
LoginGraceTime = 0
The tradeoff of this mitigation is making the SSH server vulnerable to a denial of service (by exhaustion of all MaxStartups connections).
Credit to Qualys for the discovery of this vulnerability, who have produced an excellent and informative analysis of the issue.
QCOW2
An important CVE (CVE-2024-32498, OSSA-2024-1) relating to QCOW2 has been announced by the OpenStack security SIG.
The vulnerability involves a scenario in which a maliciously-crafted QCOW2 image can be used to read arbitrary files from the filesystem of a Cinder or Nova container into a VM's root filesystem. This could include, for example:
- Secrets for the Cinder user in the Ceph cluster (this is a concern if users have direct access to Ceph APIs, for example through the Manila CephFSNative driver).
- Credentials for the libvirt network socket used for live migration (this socket is bound on the internal API network and not normally accessible to users).
Further details of the vulnerability are published in OpenStack Security Advisory OSSA-2024-1 and as CVE-2024-32498.
Affected OpenStack services (Nova, Cinder and Glance) have all been patched and update is required.
If it is not possible to quickly patch the affected OpenStack services, restricting image creation and upload into Glance will partly mitigate the issue, for example by applying a custom policy file for Glance.
For Kayobe users, this can be done by adding the following content to the Glance policy file: $KAYOBE_CONFIG_PATH/kolla/config/glance/policy.yaml
---
"upload_image": "role:admin"
This can be deployed with:
kayobe overcloud service reconfigure --kolla-tags glance
Credit to Martin Kaesberger for the discovery of this vulnerability.
- StackHPC Release Train container images are available for the OpenStack releases and host OS distributions used by our supported clients.
Get in touch
If you would like to get in touch we would love to hear from you. Reach out to us via LinkedIn, Twitter or directly via our contact page.