For optimal reading, please switch to desktop mode.
Many OpenStack clouds provide flexible services that depend on
key infrastructure components such as ssh for command-line access
and qcow2 for software images. This week, the open source community
has been reacting to disclosures of two important vulnerabilities in
these components, which will have widespread impact.
OpenSSH
A significant vulnerability in OpenSSH was announced on 1st July
2024, with CVE identifier CVE-2024-6387. This vulnerability
could allow an attacker to bypass authentication and gain access
to a system via SSH without proper credentials. The attack is
complex and requires very precise timing to succeed. Given sufficient
time and perseverance, it eventually will.
RHEL 9, Rocky Linux 9, FedoraCoreOS 34-40 and Ubuntu 22.04 are all known to be affected:
This vulnerability affects every point of contact between the cloud
and its external network where the ssh port is exposed. This could
include:
- SSH-enabled guest VMs.
- Management servers for a Kubernetes Cluster API management cluster.
- OpenStack control plane servers.
- OpenStack management servers.
Services that are not directly accessible from the internet are
mitigated (to an extent).
For the OpenStack control plane and management services, updated
SSH packages are available for Ubuntu 22.04. For Rocky Linux 9,
updated SSH packages are available in a security repo for Rocky
Linux 9.4.
Alternatively a configuration mitigation (further described in the links above), which is effective for all distributions.
In sshd_config set the following parameter:
The tradeoff of this mitigation is making the SSH server vulnerable
to a denial of service (by exhaustion of all MaxStartups connections).
Credit to Qualys for the discovery of
this vulnerability, who have produced an excellent and informative
analysis of
the issue.
- StackHPC Azimuth configuration is patched in release 0.8.2.
- StackHPC Slurm Appliance is patched in release v1.149.
QCOW2
An important CVE (CVE-2024-32498, OSSA-2024-1) relating to QCOW2
has been announced
by the OpenStack security SIG.
The vulnerability involves a scenario in which a maliciously-crafted
QCOW2 image can be used to read arbitrary files from the filesystem
of a Cinder or Nova container into a VM's root filesystem. This
could include, for example:
- Secrets for the Cinder user in the Ceph cluster (this is a concern
if users have direct access to Ceph APIs, for example through the
Manila CephFSNative driver).
- Credentials for the libvirt network socket used for live
migration (this socket is bound on the internal API network and not
normally accessible to users).
Further details of the vulnerability are published in OpenStack
Security Advisory OSSA-2024-1 and as
CVE-2024-32498.
Affected OpenStack services (Nova, Cinder and Glance) have all been
patched and update is required.
If it is not possible to quickly patch the affected OpenStack services,
restricting image creation and upload into Glance will partly mitigate
the issue, for example by applying a custom policy file for Glance.
For Kayobe users, this can be done by adding the following content to the Glance policy file: $KAYOBE_CONFIG_PATH/kolla/config/glance/policy.yaml
---
"upload_image": "role:admin"
This can be deployed with:
kayobe overcloud service reconfigure --kolla-tags glance
Credit to Martin Kaesberger for the discovery of this vulnerability.
- StackHPC Release Train
container images are available for the OpenStack releases and host
OS distributions used by our supported clients.
Get in touch
If you would like to get in touch we would love to hear
from you. Reach out to us via
LinkedIn,
Twitter
or directly via our contact page.