CVE-2024-32498

OpenStack: malicious qcow2/vmdk images

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.

Se descubrió un problema en OpenStack Cinder hasta 24.0.0, Glance antes de 28.0.2 y Nova antes de 29.0.3. El acceso arbitrario a archivos puede ocurrir a través de datos externos QCOW2 personalizados. Al proporcionar una imagen QCOW2 manipulada que hace referencia a una ruta de archivo de datos específica, un usuario autenticado puede convencer a los sistemas para que devuelvan una copia del contenido de ese archivo desde el servidor, lo que resulta en un acceso no autorizado a datos potencialmente confidenciales. Todas las implementaciones de Cinder y Nova se ven afectadas; solo se ven afectadas las implementaciones de Glance con la conversión de imágenes habilitada.

An input validation flaw was discovered in how multiple OpenStack services validate images with backing file references. An authenticated attacker could provide a malicious image via upload, or by creating and modifying an image from an existing volume. Validation of images can be triggered during image upload or when attaching images to virtual machines. During this process, the affected OpenStack services could be tricked into reading or writing to the host with the equivalent privileges of QEMU. This bypasses isolation restrictions, significantly reducing the security of an affected compute host, and could enable arbitrary code execution, a denial of service, or leaking of secrets. If exploited, the immediate impact is limited to an individual compute host. However, if the attacker has access to multiple hosts and enough time to repeat it, they could potentially spread across all compute hosts.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-15 CVE Reserved
2024-07-03 CVE Published
2024-09-24 EPSS Updated
2024-10-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-552: Files or Directories Accessible to External Parties

CAPEC

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/07/02/2	Mailing List
https://security.openstack.org/ossa/OSSA-2024-001.html

URL	Date	SRC

URL	Date	SRC
https://launchpad.net/bugs/2059809	2024-07-08
https://www.openwall.com/lists/oss-security/2024/07/02/2	2024-07-08

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32498	2024-07-09
https://bugzilla.redhat.com/show_bug.cgi?id=2278663	2024-07-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Cinder Search vendor "Openstack" for product "Cinder"				< 22.1.3 Search vendor "Openstack" for product "Cinder" and version " < 22.1.3"		-		Affected
Openstack Search vendor "Openstack"		Cinder Search vendor "Openstack" for product "Cinder"				>= 23.0.0 < 23.1.1 Search vendor "Openstack" for product "Cinder" and version " >= 23.0.0 < 23.1.1"		-		Affected
Openstack Search vendor "Openstack"		Cinder Search vendor "Openstack" for product "Cinder"				24.0.0 Search vendor "Openstack" for product "Cinder" and version "24.0.0"		-		Affected
Openstack Search vendor "Openstack"		Glance Search vendor "Openstack" for product "Glance"				< 26.0.1 Search vendor "Openstack" for product "Glance" and version " < 26.0.1"		-		Affected
Openstack Search vendor "Openstack"		Glance Search vendor "Openstack" for product "Glance"				>= 28.0.0 < 28.0.2 Search vendor "Openstack" for product "Glance" and version " >= 28.0.0 < 28.0.2"		-		Affected
Openstack Search vendor "Openstack"		Glance Search vendor "Openstack" for product "Glance"				27.0.0 Search vendor "Openstack" for product "Glance" and version "27.0.0"		-		Affected
Openstack Search vendor "Openstack"		Nova Search vendor "Openstack" for product "Nova"				< 27.3.1 Search vendor "Openstack" for product "Nova" and version " < 27.3.1"		-		Affected
Openstack Search vendor "Openstack"		Nova Search vendor "Openstack" for product "Nova"				>= 28.0.0 < 28.1.1 Search vendor "Openstack" for product "Nova" and version " >= 28.0.0 < 28.1.1"		-		Affected
Openstack Search vendor "Openstack"		Nova Search vendor "Openstack" for product "Nova"				>= 29.0.0 < 29.0.3 Search vendor "Openstack" for product "Nova" and version " >= 29.0.0 < 29.0.3"		-		Affected