Bug 2274806 (CVE-2024-28718) - CVE-2024-28718 openstack-magnum: time-of-check to time-of-use (TOCTOU) attack risk via cert_manager.py
Summary: CVE-2024-28718 openstack-magnum: time-of-check to time-of-use (TOCTOU) attack...
Keywords:
Status: NEW
Alias: CVE-2024-28718
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-04-12 20:55 UTC by Robb Gatica
Modified: 2024-04-12 21:11 UTC (History)
0 users

Fixed In Version: openstack-magnum 16.0.2, openstack-magnum 17.0.2, openstack-magnum 14.1.2, openstack-magnum 15.0.2, openstack-magnum 18.0.0rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in OpenStack Magnum. In certain conditions, an attacker may be able to initiate a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-04-12 20:55:57 UTC 
When a file is first written and then its permissions are later changed using chmod, there exists a potential security risk known as a time-of-check to time-of-use (TOCTOU) attack. In this type of attack, an attacker exploits the time window between when the file is initially written and when its permissions are modified. During this time window, the attacker may gain access to the file:

At https://github.com/openstack/magnum/blob/537e69aeb8df7af480e6af11a98687179d4dd89c/magnum/conductor/handlers/common/cert_manager.py#L185
, we first write ca_file,key_file cert_file , then we chmod mode them.

```
 ca_file = open(cached_ca_file, "w+")
            ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate()))
            ca_file.flush()

            key_file = open(cached_key_file, "w+")
            key_file.write(encodeutils.safe_decode(
                magnum_cert.get_decrypted_private_key()))
            key_file.flush()

            cert_file = open(cached_cert_file, "w+")
            cert_file.write(
                encodeutils.safe_decode(magnum_cert.get_certificate()))
            cert_file.flush()

            os.chmod(cached_ca_file, 0o600)
            os.chmod(cached_key_file, 0o600)
            os.chmod(cached_cert_file, 0o600)

```

References:
https://bugs.launchpad.net/magnum/+bug/2047690
https://gist.github.com/Fewword/f098d8d6375ac25e27b18c0e57be532f
https://review.opendev.org/c/openstack/magnum/+/907305
Note You need to log in before you can comment on or make changes to this bug.