Difference between revisions of "OSSN/OSSN-0060"
Robert-clark (talk | contribs) (Created page with "__NOTOC__ == Glance configuration option can lead to privilege escalation == === Summary === Glance exposes a configuration option called `use_user_token` in the configuratio...") |
(→Contacts / References) |
||
| Line 42: | Line 42: | ||
=== Contacts / References === | === Contacts / References === | ||
| − | This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060 | + | * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060 |
| − | Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448 | + | * Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448 |
| − | OpenStack Security Documentation : https://security.openstack.org | + | * OpenStack Security Documentation : https://security.openstack.org |
| − | OpenStack Security Project : https://wiki.openstack.org/wiki/Security | + | * OpenStack Security Project : https://wiki.openstack.org/wiki/Security |
| − | Bug Introduction : https://review.openstack.org/#/c/29967/ | + | * Bug Introduction : https://review.openstack.org/#/c/29967/ |
Revision as of 20:56, 25 January 2016
Glance configuration option can lead to privilege escalation
Summary
Glance exposes a configuration option called `use_user_token` in the configuration file `glance-api.conf`. It should be noted that the default setting (`True`) is secure. If, however, the setting is changed to `False` and valid admin credentials are supplied in the following section (`admin_user` and `admin_password`), Glance API commands will be executed with admin privileges regardless of the intended privilege level of the calling user.
Affected Services / Software
Glance, Juno, Kilo, Liberty
Discussion
The `use_user_token` configuration option was created to enable automatic re-authentication for tokens whch are close to expiration, thus preventing the tokens from expiring in the middle of longer-lasting Glance commands. Unfortunately the implementation enables privilege escalation attacks by automatically executing API commands as an administrator level user.
By default `use_user_token` is set to `True` which is secure. If the option is disabled (set to `False`) and valid admin credentials are specified in the `glance-api.conf` file, API commands will be executed as the supplied admin user regardless of the intended privileges of the calling user. Glance API v2 configurations which don't enable the registry service (`data_api = glance.db.registry.api`) aren't affected.
Enabling unauthenticated and lower privileged users to execute Glance commands with administrator privileges is very dangerous and may expose risks including:
- tampering with images
- deleting images
- denial of service attacks
Recommended Actions
A comprehensive fix will be included in the Mitaka release. Meanwhile it is recommended that all users ensure that `use_user_token` is left at the default setting (`True`) or commented out.
Contacts / References
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060
- Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448
- OpenStack Security Documentation : https://security.openstack.org
- OpenStack Security Project : https://wiki.openstack.org/wiki/Security
- Bug Introduction : https://review.openstack.org/#/c/29967/
