CVE-2024-32498
📋 TL;DR
This vulnerability allows authenticated users to access arbitrary files on OpenStack servers by uploading a crafted QCOW2 image with external data references. It affects Cinder deployments through version 24.0.0, Glance deployments with image conversion enabled before 28.0.2, and Nova deployments before 29.0.3. Attackers can read sensitive server files through this file inclusion vulnerability.
💻 Affected Systems
- OpenStack Cinder
- OpenStack Glance
- OpenStack Nova
📦 What is this software?
Cinder by Openstack
Cinder by Openstack
Cinder by Openstack
Glance by Openstack
Glance by Openstack
Glance by Openstack
Nova by Openstack
Nova by Openstack
Nova by Openstack
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, SSH keys, or credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive configuration files, credentials, or system files from the affected OpenStack services.
If Mitigated
Limited impact with proper network segmentation, minimal file permissions, and monitoring of image upload activities.
🎯 Exploit Status
Requires authenticated access to upload images. Exploitation involves creating a specially crafted QCOW2 image with external data file references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Cinder: fixed in versions after 24.0.0; Glance: 28.0.2 or later; Nova: 29.0.3 or later
Vendor Advisory: https://security.openstack.org/ossa/OSSA-2024-001.html
Restart Required: Yes
Instructions:
1. Update OpenStack components to patched versions. 2. Restart affected services. 3. Verify the fix by checking service versions and testing image upload functionality.
🔧 Temporary Workarounds
Disable image conversion in Glance
linuxPrevents exploitation in Glance by disabling the vulnerable image conversion feature
Set 'disk_formats' in glance-api.conf to exclude qcow2 conversion
Restrict image upload permissions
allLimit which users can upload images to reduce attack surface
Configure OpenStack policies to restrict image uploads to trusted users only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenStack services from sensitive systems
- Monitor and audit all image upload activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check OpenStack service versions: 'cinder --version', 'glance --version', 'nova --version' and compare against affected versionsCheck Version:
cinder --version 2>/dev/null || echo 'Cinder not installed'; glance --version 2>/dev/null || echo 'Glance not installed'; nova --version 2>/dev/null || echo 'Nova not installed'Verify Fix Applied:
Verify services are running patched versions and test that crafted QCOW2 images with external references no longer return file contents📡 Detection & Monitoring
Log Indicators:
- Unusual image upload patterns
- Failed file access attempts from image processing
- Large number of QCOW2 image uploads from single user
Network Indicators:
- Unusual outbound connections from OpenStack services after image uploads
- Traffic patterns suggesting file exfiltration
SIEM Query:
source="openstack" AND ("image upload" OR "qcow2" OR "external data") AND (error OR failed OR denied)🔗 References
- http://www.openwall.com/lists/oss-security/2024/07/02/2
- https://launchpad.net/bugs/2059809
- https://security.openstack.org/ossa/OSSA-2024-001.html
- https://www.openwall.com/lists/oss-security/2024/07/02/2
- http://www.openwall.com/lists/oss-security/2024/07/02/2
- https://launchpad.net/bugs/2059809
- https://lists.debian.org/debian-lts-announce/2024/09/msg00016.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html
- https://www.openwall.com/lists/oss-security/2024/07/02/2
