Hi,
I'm hereby copy/pasting the CVE-2024-40767 announcement text, now that
the embargo period is over.
At this point, this has been fixed in all unofficial debian.net backport
repositories for OpenStack, and in unstable. I'll be trying to fix
official bullseye and bookworm.
Cheers,
Thomas Goirand (zigo)
==================================================================
OSSA-2024-002: Incomplete file access fix and regression for QCOW2
backing files and VMDK flat descriptors
==================================================================
:Date: July 23, 2024
:CVE: CVE-2024-40767
Affects
~~~~~~~
- Nova: <27.4.1, >=28.0.0 <28.2.1, >=29.0.0 <29.1.1
Description
~~~~~~~~~~~
Arnaud Morin (OVH) reported a vulnerability in Nova. By supplying a
raw format image which is actually a specially crafted QCOW2 image
with a backing file path or VMDK flat image with a descriptor file
path, an authenticated user may convince systems to return a copy of
the referenced file’s contents from the server resulting in
unauthorized access to potentially sensitive data. All Nova
deployments are affected.
Patches
~~~~~~~
- https://review.opendev.org/924734 (2023.1/antelope)
- https://review.opendev.org/924733 (2023.2/bobcat)
- https://review.opendev.org/924732 (2024.1/caracal)
- https://review.opendev.org/924731 (2024.2/dalmatian)
Credits
~~~~~~~
- Arnaud Morin from OVH (CVE-2024-40767)
References
~~~~~~~~~~
- https://launchpad.net/bugs/2071734
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40767
Notes
~~~~~
- The patches linked above should apply cleanly to the public state
of their respective branches at time of disclosure, and depend on
some commits which merged after the `OSSA-2024-001
<https://security.openstack.org/ossa/OSSA-2024-001.html>`_ fixes
as well as the final states of the Nova changes linked from that
advisory (those did see some minor adjustments before they
merged).
- The QCOW2 issue is due to an incomplete fix in OSSA-2024-001
affecting systems where the ``use_cow_images`` configuration
option is disabled, while the VMDK issue is a regression of the
earlier `OSSA-2023-002
<https://security.openstack.org/ossa/OSSA-2023-002.html>`_
vulnerability reintroduced by the new implementation in
OSSA-2024-001. Both problems were identified in the final hours
before OSSA-2024-001 publication but, due to time constraints,
were redacted from that bug and moved to a separate report.
- Neither the methods introduced in these patches nor the fixes for
OSSA-2024-001 are capable of blocking malicious images which are
already resident in Nova's cache. At this time we do not have
useful operator guidance for identifying and removing such
existing images from the cache but strongly caution, if you do
attempt to use the qemu-img tool to find them, to make sure you're
using a version of it patched for `QEMU CVE-2024-4467
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467>`_.
