CVE-2020-17376
Public on
Last Modified:
Description
An information disclosure flaw was found in the live migration feature of OpenStack Nova. A user may gain access to destination host devices with the same path as those on the source host. This flaw allows an attacker to perform a soft reboot of an instance that has previously undergone live migration. The greatest impact of this vulnerability is to the confidentiality of many possible device types, but those at special risk are block storage devices, potentially revealing data of other users.
Statement
Red Hat OpenStack Platform 10 was initially marked as affected, however it has since been discovered that the flaw is actually not present in this version. For this reason, the update in RHSA-2020:3711 can be either applied or ignored for RHOSP 10.
Mitigation
Public clouds using non-default configurations (allowing untrusted users to initiate live migrations) face significant additional risk. If it is not possible to immediately apply patches, a temporary policy change is recommended: disable soft reboots by setting wait_soft_reboot_seconds to zero. This effectively forces any soft reboots to instead be overridden as a hard reboot. Find more information in Nova's documentation https://docs.openstack.org/nova/ussuri/configuration/config.html
Deployments which use unique device paths for each cinder volume face an extremely low risk of being affected by this flaw.
Additional information
- Bugzilla 1869426: openstack-nova: Soft reboot after live-migration reverts instance to original source domain XML
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- FAQ: Frequently asked questions about CVE-2020-17376
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 8.3 | 8.3 |
Attack Vector | Network | Network |
Attack Complexity | Low | Low |
Privileges Required | Low | Low |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | High | High |
Integrity Impact | High | High |
Availability Impact | Low | Low |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
NVD: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Red Hat CVSS v3 Score Explanation
Availability is rated as low because the problem can only be triggered once per live-migration. While this could interrupt a service, it cannot bring it down indefinitely.
OpenStack does not allow unauthenticated users to trigger soft reboots, so privileges required is rated Low.
Acknowledgements
This issue was discovered by Lee Yarwood (Red Hat) and Tadayoshi Hosoya (NEC).
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
