Sovereign Cloud Stack

Eine Plattform — standardisiert, entwickelt und betrieben von Vielen.

Sovereign Cloud Stack Security Advisory Image Processing in Ironic (CVE-2024-44082)

Christian Berendt, Kurt Garloff, Felix Kronlage-Dammers 7. September 2024

The vulnerability

Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research noticed a vulnerability in image processing for Ironic, in which a specially crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data.

The vulnerability has been assigned CVE-2024-44082.

Similar issues have been found and addressed in other projects of OpenStack before:

Impact on the SCS reference implementation

In the reference implementation of Sovereign Cloud Stack, Ironic is shipped and thus installations are advised to update the ironic images used.

Updating ironic images

If the OpenStack Ironic service is not used, it is not necessary to execute these steps.

  1. update the OSISM manager to version 7.1.3 as usual (detailed instructions in the Upgrade Guide for the OSISM Manager)
  2. Pull all Ironic images in advance with osism apply -a pull ironic
  3. Upgrade the Ironic service with osism apply -a upgrade ironic

In release 7.1.3 of OSISM, only the images of the OpenStack Ironic services were rebuilt. It is not necessary to upgrade other OpenStack services after updating the manager.

SCS provider status

To our knowledge none of the providers that are using the SCS reference implementation are making use of Ironic and as such are not affected by this vulnerability.

Embargo

The issue has been reported by Dan Smith, Julia Kreger and Jay Faulkner in private to the OpenStack Vulnerability Management Team. The reporters and upstream developers have worked together to address the issue with fixes and an embargo date has been set to Wednesday, 2024-09-04, 1600 UTC. At this point in time, the patches will get merged and an OpenStack Security Advisory (OSSA-2024-003) will be published. The issue is tracked in OpenStack issue #2071740, which should be publically accessible after the advisory has been published.

Under the used responsible disclosure approach, the information was shared with a select group of trustable users of OpenStack, so they can prepare updates and protect their user data in time for the publication.

Mitigation and Fixes

The fixed code allows Ironic and the Ironic-Python-Agent (IPA) to pre-screen images before passing them to qemu-img. You should patch both of them because in some popular deployment configurations, it is possible for images to bypass the Ironic conductor for more efficient image downloads. OSISM will publish (SCS R6.1.3) with fixed Ironic components this week.

Thanks

The authors would like to thank the reporter, the upstream OpenStack developers and the OpenStack Vulnerability Management Team for the responsible reporting, careful analysis, fixing, testing and professional handling of the issue and the OSISM team for additional analysis.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://scs.community/.well-known/security.txt.

Version history

Über die Autoren

Kurt Garloff
CTO Sovereign Cloud Stack @ Open Source Business Alliance
While working on Physics as student and researcher in Dortmund, Wuppertal and Eindhoven, Kurt started to work with and on Linux, with first patches to the SCSI layer in the mid 90s. He has spent his post-university life in Open Source, as kernel engineer, leader of SUSE Labs (kernel, compiler, X11, security), and engineering and business leadership at SUSE. Since 2011 he has been working on Open Source cloud software, at Deutsche Telekom, as Freelancer, at T-Systems (as chief architect for the OTC) and also has been serving on the Open Infra Foundation's board. Since 2019 he has been pushing the Sovereign Cloud Stack idea which resulted in a publically funded project that he now technically leads. He still loves to occasionally write code (mostly python these days) or at least test out code from the colleagues and project. He spends his free time with his family or with running and playing table tennis.
Felix Kronlage-Dammers
Felix has been building (open source) IT Infrastructure since the late 90s - during high school he helped build and run an ISP specialized in providing UUCP over ssh. Between then and now felix has always been active in various open source development communities (from DarwinPorts, OpenDarwin to OpenBSD and nowadays the Sovereign Cloud Stack). His interests range from monitoring and observability over infrastructure-as-code to building and scaling communities and companies. A technician at heart he enjoys enabling others to do awesome stuff. He is part of the extended board of the OSBA and describes himself as an unix/open source nerd. If not working, doing OSS for fun and (non-)profit or spending time with his family, he is usually found on a road bike.