openstack-glance API v1 copy_from() has SSRF flaw - CVE-2017-7200
The copy_from feature in Image Service API v1 allows an attacker to perform masked network port scans. It is possible to create images with a URL such as 'http://localhost:22'. This could allow an attacker to enumerate internal network details while appearing masked, because the scan appears to originate from the Image Service. This is classified as a Server-Side Request Forgery (SSRF).
Some knowledge of the internal network might be necessary to exploit this flaw internally (apart from localhost).
An OSSN was released upstream (OSSN-0078), which discussed this flaw.
Background Information
OpenStack Image Service (glance) provides discovery, registration, and delivery services for disk and server images. The service provides the snapshot a server image, and immediately stores it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.
The copy_from function in v1 allows remote content to be copied into the defined Image Service store.
Take Action
All Red Hat customers with affected products deployments are recommended to apply mitigations to their systems; no fix is being released. The recommended mitigation can be found under the Resolve tab.
Because v1 was deprecated in Newton and because a workaround is possible, no fix is being made available.
Red Hat Product Security has rated this update as having a security impact of Moderate.
Impacted Products
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6
- Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7
- Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
- Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
- Red Hat OpenStack Platform 8.0 (Liberty)
- Red Hat OpenStack Platform 9.0 (Mitaka)
- Red Hat OpenStack Platform 10.0 (Newton)
Logging
All copy_from calls are logged by the Image Service. This makes it possible to link the abuser of this vulnerability to the cloud user exploiting it.
Diagnose your vulnerability
For this flaw to be exploited, image creation must be enabled and non-admin users must be able to use the copy_from function.
In your OpenStack deployment, view the /etc/glance/policy.json file. If the file has the following settings, your deployment is vulnerable:
"add_image": "",
"copy_from": "",
Full Mitigation
To ensure that attackers cannot exploit this flaw, the policy for the copy_from function must be restricted to the 'admin' role.
Edit the /etc/glance/policy.json file and ensure the copy_from line has the following setting:
"copy_from": "role:admin",
Warning
Limiting the copy_from function to 'admin' users impacts Orchestration and dashboard usage:
- Any Orchestration stacks for non-admin users that create images will break.
- Non-admin users will not be able to create images in the dashboard by providing an image-data URI.
Partial Mitigation
- Rate-limiting calls to the Image Service would make probing extremely slow and make this flaw less tempting to exploit.
- Limiting connections from the control-plane node running the glance-api server to only those ports that are required for the services, and to ports 80 & 443 towards the external network, would limit the scope of possible attack significantly without affecting the majority of users.
Comments