oss-sec mailing list archives
Re: CVE request for vulnerability in OpenStack Nova
From: cve-assign () mitre org
Date: Tue, 14 Oct 2014 01:01:53 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Title: Nova VMware driver may connect VNC to another tenant's console Products: Nova Versions: up to 2014.1.3 Marcio Roberto Starke reported a vulnerability in the Nova VMware driver. A race condition in its VNC port allocation may cause it to connect the wrong console if instances are created concurrently. By repeatedly spawning new instances, an authenticated user may be able to gain unauthorized console access to instances belonging to other tenants. Only Nova setups using the VMware driver and the VNC proxy service are affected. References: https://launchpad.net/bugs/1357372
When spawning some instances, nova VMware driver could have a race condition in VNC port allocation. Although the get_vnc_port function has a lock it not guarantee that the whole vnc port allocation process is locked, so another instance could receive the same port if it requests the VNC port before nova has finished the vnc port allocation to another VM. If the instances with the same VNC port are allocated in same host it could lead to a improper access to the instance console. Reproduce the problem: Launch two or more instances at same time. In some cases one instance could execute the get_vnc_port and pick a port but before this instance has finished the _set_vnc_config another instance could execute get_vnc_port and pick the same port.
it looks like something an attacker could probably leverage repetition to eventually exploit
Use CVE-2014-8750. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUPK2FAAoJEKllVAevmvmsOTUH/isfHZzy4mfdTu7EE01YniVy +b0iupyj0AG/bx7c1lhoBhLYaPnY2wvBscVG7tBnkTUzpT0RJgluX2PG81eKqYoU e/SXRWWzkHupSKY5G8ipmfUFPzKikjmVHXgXmdd91zx5RIsrbnxH8YQAJX3rdHJA r7RY6Ah5oK7lEw2aLAvv2vCL0BsInTJMTGRDNXJElCukOJoA3rSlHsGoO1Ri+Bcw trOKC40cIVmlU7BlpJzXTYsA6th2rOZmhj/5oKY38N3HVB+O0n85a+fhudJhgHQH oApL8mqeg9yYveJr1dPNf7/+gvKNkQL9SHkeJ53kSupAHJTced8/JWfYLoc+DLk= =2d5e -----END PGP SIGNATURE-----
Current thread:
- CVE request for vulnerability in OpenStack Nova Jeremy Stanley (Oct 13)
- Re: CVE request for vulnerability in OpenStack Nova cve-assign (Oct 13)
- <Possible follow-ups>
- CVE request for vulnerability in OpenStack Nova Tristan Cacqueray (Oct 20)
- Re: CVE request for vulnerability in OpenStack Nova cve-assign (Oct 21)