Bug 2274806 (CVE-2024-28718)

Summary: CVE-2024-28718 openstack-magnum: time-of-check to time-of-use (TOCTOU) attack risk via cert_manager.py
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-magnum 16.0.2, openstack-magnum 17.0.2, openstack-magnum 14.1.2, openstack-magnum 15.0.2, openstack-magnum 18.0.0rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in OpenStack Magnum. In certain conditions, an attacker may be able to initiate a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robb Gatica 2024-04-12 20:55:57 UTC 
When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file:

At https://github.com/openstack/magnum/blob/537e69aeb8df7af480e6af11a98687179d4dd89c/magnum/conductor/handlers/common/cert_manager.py#L185
, we first write ca_file,key_file cert_file , then we chmod mode them.

```
 ca_file = open(cached_ca_file, "w+")
            ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
            ca_file.flush()

            key_file = open(cached_key_file, "w+")
            key_file.write(encodeutils.safe_decode(
                magnum_cert.get_decrypted_private_key()))
            key_file.flush()

            cert_file = open(cached_cert_file, "w+")
            cert_file.write(
                encodeutils.safe_decode(magnum_cert.get_certificate()))
            cert_file.flush()

            os.chmod(cached_ca_file, 0o600)
            os.chmod(cached_key_file, 0o600)
            os.chmod(cached_cert_file, 0o600)

```

References:
https://bugs.launchpad.net/magnum/+bug/2047690
https://gist.github.com/Fewword/f098d8d6375ac25e27b18c0e57be532f
https://review.opendev.org/c/openstack/magnum/+/907305