-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Suds client subject to cache poisoning by local attacker - ---
### Summary ### Suds is a Python SOAP client for consuming Web Services. Its default cache implementation stores pickled objects to a predictable path in /tmp. This can be used by a local attacker to redirect SOAP requests via symlinks or run a privilege escalation or code execution attack. ### Affected Services / Software ### Cinder, Nova, Grizzly, Havana, Icehouse ### Discussion ### The Python 'suds' package is used by oslo.vmware to interface with SOAP service APIs and both Cinder and Nova have dependencies on oslo.vmware when using VMware drivers. By default suds uses an on-disk cache that places pickle files, serialised Python objects, into a known location '/tmp/suds'. A local attacker could use symlinks or place crafted files into this location that will later be deserialised by suds. By manipulating the content of the cached pickle files, an attacker can redirect or modify SOAP requests. Alternatively, pickle may be used to run injected Python code during the deserialisation process. This can allow the spawning of a shell to execute arbitrary OS level commands with the permissions of the service using suds, thus leading to possible privilege escalation. At the time of writing, the suds package appears largely unmaintained upstream. However, vendors have released patched versions that do not suffer from the predictable cache path problem. Ubuntu is known to offer one such patched version (python-suds_0.4.1-2ubuntu1.1). ### Recommended Actions ### The recommended solution to this issue is to disable cache usage in the configuration as shown: 'client.set_options(cache=None)' A fix has been released to oslo.vmware (0.6.0) that disables the use of the disk cache by default. Cinder and Nova have both adjusted their requirements to include this fixed version. Deployers wishing to re-enable the cache should ascertain whether or not their vendor shipped suds package is susceptible and consider the above advice. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0038 Original Launchpad Bug : https://bugs.launchpad.net/ossn/+bug/1341954 OpenStack Security ML : [email protected] OpenStack Security Group : https://launchpad.net/~openstack-ossg Suds: https://pypi.python.org/pypi/suds CVE: CVE-2013-2217 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUkncUAAoJEJa+6E7Ri+EVFIcH/RiGaDTmkjGI9zlSebw8u0/3 1XJgi/XcptjkKDPXDB+gOwm6TBIAHHBTED36rS21Q77jeKn0yrz6YSsu17XA2j02 5E1I9U8fzkf2r0YYPd94d14MSi6qAIDIgqwXoMjMmk/utUnTywB26v+FVj+OnMem wmcv/fgNP2YW2Erzl5khkjWZ9/hSjBNLH7kRU8ddLB3z3FIyjAOPTiJIomEIzJgw VjGXNbi3eJrRptYXSocXtW6YPKY6aC42tGPF1OH/h9B3j90GwsFWy9Z2Vea+TkqO rBEcd14XBF+IiS9g1tXyleciLcxw2Ty2+KkGoGlfP0cur2ALyZxU2dD7DoTTpyo= =pG/1 -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
