15:09:08 <fungi> #startmeeting security 15:09:10 <openstack> Meeting started Thu Jan 17 15:09:08 2019 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:09:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:09:14 <openstack> The meeting name has been set to 'security' 15:09:43 <fungi> #topic cinder bug 1799221 15:09:48 <openstack> bug 1799221 in Cinder queens "cinder-volume can create truncated volumes when masking glanceclient errors" [Undecided,In progress] https://launchpad.net/bugs/1799221 - Assigned to Brian Rosmaita (brian-rosmaita) 15:10:13 <rosmaita> yeah, that's a public bug, the security implications weren't obvious immediately 15:10:18 <fungi> interesting, i didn't see an e-mail from lp about that addition 15:10:33 <rosmaita> and would probably require a bunch of failures in various places to be a real problem 15:10:44 <rosmaita> i assigned it to OSSN first (not sure why) 15:10:51 <rosmaita> and then reassigned to OSSA 15:10:56 <rosmaita> not sure if that makes a difference 15:11:19 <nickthetait> thats fine 15:11:39 <fungi> well, one is for dated advisories announcing backported fixes to supported stable branches, the other is for addenda to the security guide containing guidance to deployers/users 15:12:22 <rosmaita> yeah, i really just wanted to get your attention for someone to take a look in case it's something we need to tell people about 15:13:25 <fungi> skimming, it's not immediately obvious to me how a malicious actor could leverage this bug to achieve anything. mind elaborating on the exploit scenario(s) you were worried about? 15:14:16 <rosmaita> well, as the glanceclient is downloading an image, it does an instream checksum/hash validation 15:14:38 <rosmaita> if the checksum doesn't match it will throw an exception 15:14:50 <rosmaita> which from pike on, cinder is ignoring 15:15:24 <rosmaita> so i believe it's possible that if somehow you could change the image data in glance, then you could create a bootable volume from it 15:16:11 <rosmaita> but you'd need to already be "in" the cloud or have compromised glance to make this work 15:16:57 <fungi> if you're in a position to change the image data in glance, can you generally also change the checksum to match it? 15:17:24 <nickthetait> seems to me like an attacker would need ability to manipulate network speed and MITM 15:17:48 <rosmaita> fungi: probably, you'd need to modify the database 15:18:04 <rosmaita> glance won't allow checksum change via api even for admin 15:19:03 <rosmaita> maybe there would be a way to redirect the glance data and replace it with your own 15:19:19 <rosmaita> but you'd have to have compromised a bunch of stuff to get that to happen, i would think 15:19:38 <rosmaita> so i think it's a pretty long shot that this could be an attack 15:20:18 <fungi> so the attacker who can't alter the checksum but is still able to alter the image contents and also able to trigger an ioerror in cinder could coerce nova into booting that altered image 15:20:42 <rosmaita> yeah, you've got it exactly 15:20:59 <rosmaita> actually, 15:21:17 <rosmaita> it's more that the compromised data would trigger a glanceclient exception that cinder would ignore 15:21:32 <fungi> but needs to be an ioerror exception, specifically 15:21:40 <rosmaita> yes 15:22:00 <fungi> and not enospc i guess 15:22:08 <rosmaita> right 15:22:35 <fungi> my opinion, vmt hat on, is that this is a class c1 report per our taxonomy 15:22:40 <rosmaita> yeah, it's an EPIPE taht glance throws 15:22:48 <fungi> #link https://security.openstack.org/vmt-process.html#incident-report-taxonomy OpenStack VMT Report Taxonomy 15:23:15 <nickthetait> i would agree with that designation 15:23:21 <fungi> so it's worth fixing if possible, and might warrant a note (ossn) 15:23:51 <fungi> also someone might consider getting a cve assigned for it, but the vmt doesn't need one since we wouldn't issue an advisory (ossa) 15:24:12 <fungi> i'll add a comment to the bug 15:24:19 <nickthetait> ok 15:24:20 <fungi> rosmaita: thanks for bringing this up! 15:24:37 <fungi> #action fungi comment on bug 1799221 15:24:42 <openstack> bug 1799221 in Cinder queens "cinder-volume can create truncated volumes when masking glanceclient errors" [Undecided,In progress] https://launchpad.net/bugs/1799221 - Assigned to Brian Rosmaita (brian-rosmaita) 15:25:01 <rosmaita> thanks 15:25:14 <fungi> #topic nova bug 1811870 15:25:20 <openstack> bug 1811870 in OpenStack Compute (nova) "libvirt reporting incorrect value of 4k (small) pages" [High,In progress] https://launchpad.net/bugs/1811870 - Assigned to Stephen Finucane (stephenfinucane) 15:25:37 <fungi> sean-k-mooney brought this one to my attention earlier today 15:26:30 <fungi> basically there was a bug fixed upstream in libvirt but not backported to the versions carried in a lot of popular distros 15:27:09 <fungi> this opens a potential denial of service condition on nova hypervisor hosts 15:27:54 <fungi> my openstack vmt opinion is that this is class c2 (vulnerability in a dependency) and might warrant an ossn as well 15:28:02 <fungi> but feedback on that is welcome 15:28:55 <fungi> ideally major distros would get the fix backported, but it looks like stephenfin may be putting together a workaround for it 15:30:54 <nickthetait> i dont understand how this one affects openstack yet 15:32:52 <fungi> i think the implication is that on an affected hypervisor if small page size is set, an authenticated malicious actor could create a denial of service condition by overrunning memory 15:33:34 <nickthetait> yeah that piece makes sense 15:34:13 <fungi> #link https://www.redhat.com/archives/rhsa-announce/2018-June/msg00038.html [RHSA-2018:1997-01] Important: libvirt security and bug fix update 15:35:11 <fungi> so if there's to be an ossn, it should likely mention that not overriding the page size configuration could mitigate the risk on hypervisor hosts running an affected distro 15:35:57 <fungi> falls into the category of vulnerabilities in popular openstack dependencies, but whether it's severe enough to prioritize for an ossn is debatable 15:36:28 <nickthetait> okay 15:37:12 <fungi> i told sean-k-mooney i'd bring it up in the security sig meeting today, so... now i have! ;) 15:37:34 <fungi> #action fungi comment on bug 1811870 15:37:39 <openstack> bug 1811870 in OpenStack Compute (nova) "libvirt reporting incorrect value of 4k (small) pages" [High,In progress] https://launchpad.net/bugs/1811870 - Assigned to Stephen Finucane (stephenfinucane) 15:38:04 <fungi> #link https://launchpad.net/bugs/1811870 libvirt reporting incorrect value of 4k (small) pages Edit 15:38:51 <fungi> #topic bug 1734320 15:38:58 <openstack> bug 1734320 in OpenStack Compute (nova) "Eavesdropping private traffic" [Undecided,In progress] https://launchpad.net/bugs/1734320 - Assigned to sean mooney (sean-k-mooney) 15:39:13 <fungi> #link https://launchpad.net/bugs/1734320 Eavesdropping private traffic 15:40:18 <fungi> this one has been triaged by the openstack vmt as a class b2 report for now, but we're keeping an eye on it 15:41:06 <fungi> the issue involves several projects and there's still no clear path forward to resolution at the moment 15:42:06 <fungi> sean-k-mooney is working on this one, but mentioned to me that his latest attempt is also turning out to be problematic 15:42:41 <nickthetait> :S 15:43:06 <fungi> bringing it up as a security-relevant bug at least, effectively a vulnerability, but which could use some help and additional input from subject matter experts 15:43:32 <fungi> and whatever solution is eventually arrived at is quite likely to not be entirely backportable to supported stable branches 15:44:32 <fungi> anyway, if anyone has any ideas, please feel free to chime in on that bug 15:44:42 <nickthetait> alright 15:45:25 <fungi> #topic bug 1765834 15:45:37 <openstack> bug 1765834 in Swift3 "Need to verify content of v4-signed PUTs" [Undecided,New] https://launchpad.net/bugs/1765834 15:45:45 <fungi> #link https://launchpad.net/bugs/1765834 Need to verify content of v4-signed PUTs 15:46:01 <fungi> just now remembered that there's an agenda etherpad and looked at it 15:46:14 <fungi> #link https://etherpad.openstack.org/p/security-agenda Security SIG Meeting Agenda 15:46:25 <fungi> and this bug was included 15:47:36 <fungi> i recently switched this report to public, triaged as a class d hardening opportunity 15:48:22 <fungi> doesn't look like anyone is working on a fix, so if anyone is interested in tackling that one it's a welcomed security improvement 15:49:17 <fungi> oh, i take that back, tim burke has some patches attached to the bug from back when it was still private 15:49:44 <fungi> so it may be that they just need testing and someone could reach out to him about getting them pushed into gerrit 15:50:21 <fungi> #topic open discussion 15:50:38 <fungi> we've got 10 minutes remaining in the hour if anybody has anything else to bring up 15:51:50 <rosmaita> i think it's a good sign that there's not a lot to talk about! 15:52:04 <fungi> yes, indeed 15:52:18 <nickthetait> nothing new from me 15:52:56 <fungi> seeing as the two of you are the only other apparent attendees today, i'll take that as a cue to wrap it up 15:53:02 <fungi> thanks everyone! 15:53:09 <fungi> #endmeeting