CVE-2024-40767
📋 TL;DR
This vulnerability allows authenticated users to trick OpenStack Nova into reading arbitrary files from the server by uploading specially crafted disk images. By disguising a QCOW2 image with a backing file path or VMDK flat image with a descriptor file path as a raw format image, attackers can access sensitive server files. All OpenStack Nova deployments running vulnerable versions are affected.
💻 Affected Systems
- OpenStack Nova
📦 What is this software?
Nova by Openstack
Nova by Openstack
Nova by Openstack
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive server files including configuration files, SSH keys, passwords, and other credentials leading to full system compromise.
Likely Case
Unauthorized access to configuration files, logs, and potentially sensitive data stored on the compute nodes.
If Mitigated
Limited impact with proper network segmentation, minimal file permissions, and monitoring of image upload activities.
🎯 Exploit Status
Requires authenticated access to Nova API and knowledge of server file paths. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nova 27.4.1, 28.2.1, or 29.1.1
Vendor Advisory: https://security.openstack.org/ossa/OSSA-2024-002.html
Restart Required: Yes
Instructions:
1. Upgrade Nova to version 27.4.1, 28.2.1, or 29.1.1 depending on your release series. 2. Restart all Nova services. 3. Verify the fix by checking the version and testing image upload functionality.
🔧 Temporary Workarounds
Restrict image upload permissions
allLimit which users can upload images to only trusted administrators
nova role-remove-member --user <username> --role <role>
nova role-add-member --user <admin_user> --role <role>
Implement file path validation
allAdd additional validation for image file paths and formats
Custom configuration in nova.conf: [glance] allowed_direct_url_schemes = file,http,https
🧯 If You Can't Patch
- Restrict image uploads to trusted administrators only
- Implement strict monitoring and alerting for image upload activities
🔍 How to Verify
Check if Vulnerable:
Check Nova version: nova-manage version or nova-api --version. If version is before 27.4.1, 28.2.1, or 29.1.1, you are vulnerable.Check Version:
nova-manage versionVerify Fix Applied:
After patching, verify version is 27.4.1, 28.2.1, or 29.1.1. Test image upload functionality with various formats to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unusual image upload patterns
- Multiple failed image validations
- Access to unexpected file paths in logs
Network Indicators:
- Unusual API calls to /v2.1/{tenant_id}/servers or image endpoints
- Large or unusual image uploads
SIEM Query:
source="nova-api" AND ("image upload" OR "create image") AND status="success" AND user NOT IN ["admin_users"]🔗 References
- https://launchpad.net/bugs/2071734
- https://security.openstack.org
- https://security.openstack.org/ossa/OSSA-2024-002.html
- https://www.openwall.com/lists/oss-security/2024/07/23/2
- https://launchpad.net/bugs/2071734
- https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html
- https://security.openstack.org
- https://security.openstack.org/ossa/OSSA-2024-002.html
- https://www.openwall.com/lists/oss-security/2024/07/23/2
