Difference between revisions of "OSSN/OSSN-0078"
(Created page with "https://bugs.launchpad.net/ossn/+bug/1606495") |
|||
| Line 1: | Line 1: | ||
| − | https://bugs.launchpad.net/ossn/+bug/1606495 | + | __NOTOC__ |
| + | |||
| + | == copy_from in Image Service API v1 allows network port scan == | ||
| + | |||
| + | |||
| + | === Summary === | ||
| + | The `copy_from` feature in Image Service API v1 supplied by Glance can | ||
| + | allow an attacker to perform masked network port scans. | ||
| + | |||
| + | === Affected Services / Software === | ||
| + | Version 1 of the Glance Image Service (deprecated in Newton). | ||
| + | |||
| + | === Discussion === | ||
| + | In Version 1 of the Glance Image Service API it is possible to create | ||
| + | images with a URL such as `http://localhost:22`. This could then allow | ||
| + | an attacker to enumerate internal network details while appearing | ||
| + | masked, since the scan would appear to originate from the Glance image | ||
| + | service. | ||
| + | |||
| + | === Recommended Actions === | ||
| + | Version 1 of the Glance Image Service API was deprecated in the Newton | ||
| + | cycle, so operators should upgrade to a later version that will allow | ||
| + | use of Version 2. | ||
| + | |||
| + | Existing deployments can limit policy on `copy_from` by restricting use | ||
| + | to `admin` within `policy.json` as follows: | ||
| + | |||
| + | "copy_from": "role:admin" | ||
| + | |||
| + | === Contacts / References === | ||
| + | Author: Luke Hinds, Red Hat | ||
| + | |||
| + | This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078 | ||
| + | |||
| + | Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1606495 | ||
| + | |||
| + | OpenStack Security Project : https://launchpad.net/~openstack-ossg | ||
Latest revision as of 10:33, 16 March 2017
copy_from in Image Service API v1 allows network port scan
Summary
The `copy_from` feature in Image Service API v1 supplied by Glance can allow an attacker to perform masked network port scans.
Affected Services / Software
Version 1 of the Glance Image Service (deprecated in Newton).
Discussion
In Version 1 of the Glance Image Service API it is possible to create images with a URL such as `http://localhost:22`. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance image service.
Recommended Actions
Version 1 of the Glance Image Service API was deprecated in the Newton cycle, so operators should upgrade to a later version that will allow use of Version 2.
Existing deployments can limit policy on `copy_from` by restricting use to `admin` within `policy.json` as follows:
"copy_from": "role:admin"
Contacts / References
Author: Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0078
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1606495
OpenStack Security Project : https://launchpad.net/~openstack-ossg
