15:09:08 <fungi> #startmeeting security
15:09:10 <openstack> Meeting started Thu Jan 17 15:09:08 2019 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:09:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:09:14 <openstack> The meeting name has been set to 'security'
15:09:43 <fungi> #topic cinder bug 1799221
15:09:48 <openstack> bug 1799221 in Cinder queens "cinder-volume can create truncated volumes when masking glanceclient errors" [Undecided,In progress] https://launchpad.net/bugs/1799221 - Assigned to Brian Rosmaita (brian-rosmaita)
15:10:13 <rosmaita> yeah, that's a public bug, the security implications weren't obvious immediately
15:10:18 <fungi> interesting, i didn't see an e-mail from lp about that addition
15:10:33 <rosmaita> and would probably require a bunch of failures in various places to be a real problem
15:10:44 <rosmaita> i assigned it to OSSN first (not sure why)
15:10:51 <rosmaita> and then reassigned to OSSA
15:10:56 <rosmaita> not sure if that makes a difference
15:11:19 <nickthetait> thats fine
15:11:39 <fungi> well, one is for dated advisories announcing backported fixes to supported stable branches, the other is for addenda to the security guide containing guidance to deployers/users
15:12:22 <rosmaita> yeah, i really just wanted to get your attention for someone to take a look in case it's something we need to tell people about
15:13:25 <fungi> skimming, it's not immediately obvious to me how a malicious actor could leverage this bug to achieve anything. mind elaborating on the exploit scenario(s) you were worried about?
15:14:16 <rosmaita> well, as the glanceclient is downloading an image, it does an instream checksum/hash validation
15:14:38 <rosmaita> if the checksum doesn't match it will throw an exception
15:14:50 <rosmaita> which from pike on, cinder is ignoring
15:15:24 <rosmaita> so i believe it's possible that if somehow you could change the image data in glance, then you could create a bootable volume from it
15:16:11 <rosmaita> but you'd need to already be "in" the cloud or have compromised glance to make this work
15:16:57 <fungi> if you're in a position to change the image data in glance, can you generally also change the checksum to match it?
15:17:24 <nickthetait> seems to me like an attacker would need ability to manipulate network speed and MITM
15:17:48 <rosmaita> fungi: probably, you'd need to modify the database
15:18:04 <rosmaita> glance won't allow checksum change via api even for admin
15:19:03 <rosmaita> maybe there would be a way to redirect the glance data and replace it with your own
15:19:19 <rosmaita> but you'd have to have compromised a bunch of stuff to get that to happen, i would think
15:19:38 <rosmaita> so i think it's a pretty long shot that this could be an attack
15:20:18 <fungi> so the attacker who can't alter the checksum but is still able to alter the image contents and also able to trigger an ioerror in cinder could coerce nova into booting that altered image
15:20:42 <rosmaita> yeah, you've got it exactly
15:20:59 <rosmaita> actually,
15:21:17 <rosmaita> it's more that the compromised data would trigger a glanceclient exception that cinder would ignore
15:21:32 <fungi> but needs to be an ioerror exception, specifically
15:21:40 <rosmaita> yes
15:22:00 <fungi> and not enospc i guess
15:22:08 <rosmaita> right
15:22:35 <fungi> my opinion, vmt hat on, is that this is a class c1 report per our taxonomy
15:22:40 <rosmaita> yeah, it's an EPIPE taht glance throws
15:22:48 <fungi> #link https://security.openstack.org/vmt-process.html#incident-report-taxonomy OpenStack VMT Report Taxonomy
15:23:15 <nickthetait> i would agree with that designation
15:23:21 <fungi> so it's worth fixing if possible, and might warrant a note (ossn)
15:23:51 <fungi> also someone might consider getting a cve assigned for it, but the vmt doesn't need one since we wouldn't issue an advisory (ossa)
15:24:12 <fungi> i'll add a comment to the bug
15:24:19 <nickthetait> ok
15:24:20 <fungi> rosmaita: thanks for bringing this up!
15:24:37 <fungi> #action fungi comment on bug 1799221
15:24:42 <openstack> bug 1799221 in Cinder queens "cinder-volume can create truncated volumes when masking glanceclient errors" [Undecided,In progress] https://launchpad.net/bugs/1799221 - Assigned to Brian Rosmaita (brian-rosmaita)
15:25:01 <rosmaita> thanks
15:25:14 <fungi> #topic nova bug 1811870
15:25:20 <openstack> bug 1811870 in OpenStack Compute (nova) "libvirt reporting incorrect value of 4k (small) pages" [High,In progress] https://launchpad.net/bugs/1811870 - Assigned to Stephen Finucane (stephenfinucane)
15:25:37 <fungi> sean-k-mooney brought this one to my attention earlier today
15:26:30 <fungi> basically there was a bug fixed upstream in libvirt but not backported to the versions carried in a lot of popular distros
15:27:09 <fungi> this opens a potential denial of service condition on nova hypervisor hosts
15:27:54 <fungi> my openstack vmt opinion is that this is class c2 (vulnerability in a dependency) and might warrant an ossn as well
15:28:02 <fungi> but feedback on that is welcome
15:28:55 <fungi> ideally major distros would get the fix backported, but it looks like stephenfin may be putting together a workaround for it
15:30:54 <nickthetait> i dont understand how this one affects openstack yet
15:32:52 <fungi> i think the implication is that on an affected hypervisor if small page size is set, an authenticated malicious actor could create a denial of service condition by overrunning memory
15:33:34 <nickthetait> yeah that piece makes sense
15:34:13 <fungi> #link https://www.redhat.com/archives/rhsa-announce/2018-June/msg00038.html [RHSA-2018:1997-01] Important: libvirt security and bug fix update
15:35:11 <fungi> so if there's to be an ossn, it should likely mention that not overriding the page size configuration could mitigate the risk on hypervisor hosts running an affected distro
15:35:57 <fungi> falls into the category of vulnerabilities in popular openstack dependencies, but whether it's severe enough to prioritize for an ossn is debatable
15:36:28 <nickthetait> okay
15:37:12 <fungi> i told sean-k-mooney i'd bring it up in the security sig meeting today, so... now i have! ;)
15:37:34 <fungi> #action fungi comment on bug 1811870
15:37:39 <openstack> bug 1811870 in OpenStack Compute (nova) "libvirt reporting incorrect value of 4k (small) pages" [High,In progress] https://launchpad.net/bugs/1811870 - Assigned to Stephen Finucane (stephenfinucane)
15:38:04 <fungi> #link https://launchpad.net/bugs/1811870 libvirt reporting incorrect value of 4k (small) pages Edit
15:38:51 <fungi> #topic bug 1734320
15:38:58 <openstack> bug 1734320 in OpenStack Compute (nova) "Eavesdropping private traffic" [Undecided,In progress] https://launchpad.net/bugs/1734320 - Assigned to sean mooney (sean-k-mooney)
15:39:13 <fungi> #link https://launchpad.net/bugs/1734320 Eavesdropping private traffic
15:40:18 <fungi> this one has been triaged by the openstack vmt as a class b2 report for now, but we're keeping an eye on it
15:41:06 <fungi> the issue involves several projects and there's still no clear path forward to resolution at the moment
15:42:06 <fungi> sean-k-mooney is working on this one, but mentioned to me that his latest attempt is also turning out to be problematic
15:42:41 <nickthetait> :S
15:43:06 <fungi> bringing it up as a security-relevant bug at least, effectively a vulnerability, but which could use some help and additional input from subject matter experts
15:43:32 <fungi> and whatever solution is eventually arrived at is quite likely to not be entirely backportable to supported stable branches
15:44:32 <fungi> anyway, if anyone has any ideas, please feel free to chime in on that bug
15:44:42 <nickthetait> alright
15:45:25 <fungi> #topic bug 1765834
15:45:37 <openstack> bug 1765834 in Swift3 "Need to verify content of v4-signed PUTs" [Undecided,New] https://launchpad.net/bugs/1765834
15:45:45 <fungi> #link https://launchpad.net/bugs/1765834 Need to verify content of v4-signed PUTs
15:46:01 <fungi> just now remembered that there's an agenda etherpad and looked at it
15:46:14 <fungi> #link https://etherpad.openstack.org/p/security-agenda Security SIG Meeting Agenda
15:46:25 <fungi> and this bug was included
15:47:36 <fungi> i recently switched this report to public, triaged as a class d hardening opportunity
15:48:22 <fungi> doesn't look like anyone is working on a fix, so if anyone is interested in tackling that one it's a welcomed security improvement
15:49:17 <fungi> oh, i take that back, tim burke has some patches attached to the bug from back when it was still private
15:49:44 <fungi> so it may be that they just need testing and someone could reach out to him about getting them pushed into gerrit
15:50:21 <fungi> #topic open discussion
15:50:38 <fungi> we've got 10 minutes remaining in the hour if anybody has anything else to bring up
15:51:50 <rosmaita> i think it's a good sign that there's not a lot to talk about!
15:52:04 <fungi> yes, indeed
15:52:18 <nickthetait> nothing new from me
15:52:56 <fungi> seeing as the two of you are the only other apparent attendees today, i'll take that as a cue to wrap it up
15:53:02 <fungi> thanks everyone!
15:53:09 <fungi> #endmeeting