OpenStack-Cinder Vulnerability: Improper Handling of ScaleIO Backend Credentials (CVE-2020-10755)
Table of Contents
Overview
Red Hat Product Security is responding to a flaw in the openstack-cinder package as shipped with Red Hat OpenStack Platform (RHOSP) 13, 15, and 16 . This issue is assigned CVE-2020-10755 and is rated as having a security impact of Moderate.
This flaw only impacts environments using the Dell EMC ScaleIO or VxFlex OS backend storage (Dell EMC's "ScaleIO" driver was rebranded as "VxFlex OS" in RHOSP 16.0).
When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the connection_info element in all Block Storage v3 Attachments API calls with that element. A malicious end user could exploit this flaw to create a volume, retrieve the user name and password for that volume (API call), and use that information to connect to another user's volume. The attacker could also use these credentials for the ScaleIO or VxFlex OS Management API (if the Management API endpoint is known).
Affected Products
The following currently supported products are affected:
* Red Hat OpenStack Platform 13.0 (Queens)
* Red Hat OpenStack Platform 15.0 (Stein)
* Red Hat OpenStack Platform 16.0 (Train)
Resolution
Red Hat strongly recommends an update to impacted systems.
To update an impacted system:
1. Update software packages: openstack-cinder and os-brick. Links to released Errata can be found on the CVE-2020-10755 page.
2. Deploy a new configuration file on compute nodes, cinder nodes, and anywhere you would perform a volume attachment in your deployment.
3. Refresh database information by detaching and reattaching all volumes.
Note: Because this resolution consists of deploying credentials in a root-readable-only file, it is not suitable for the use case of attaching a volume to a bare metal host. For this reason, the Dell EMC ScaleIO/VxFlex OS storage backend for openstack-cinder is not recommended for use with bare metal hosts.
Configuration
On each node where Dell EMC Scaleio or VxFlex OS SDC is installed, do the following:
1. Create the /opt/emc/scaleio/openstack/connector.conf file (if it does not exist):
# mkdir -p /opt/emc/scaleio/openstack
# touch /opt/emc/scaleio/openstack/connector.conf
2. Ensure the file can be accessed only by root:
# chmod 600 /opt/emc/scaleio/openstack/connector.conf
3. For each scaleio or vxflexos section in cinder.conf, create the same section in the connector.conf file and populate it with passwords. Example:
[vxflexos]
san_password = SIO_PASSWD
[vxflexos-new]
san_password = SIO2_PASSWD
Acknowledgments
This issue was discovered by David Hill (Red Hat) and Eric Harney (Red Hat).
Comments