CVE-2015-7548

Vulnerability

A vulnerability exists in OpenStack Compute (Nova) versions prior to 2015.1.3 (kilo) and 12.0.1 (liberty) when using libvirt to spawn instances and use_cow_images is set to False. In such configurations, an authenticated user can overwrite an instance disk with a crafted image and then request a snapshot of the instance. The snapshot process will then read a file from the compute host, dictated by the crafted image, leading to unauthorized file disclosure [1][2].

Exploitation

An authenticated user must have the ability to modify their instance disk (write access) and to request a snapshot. The attacker first overwrites the instance disk with a specially crafted image that points to an arbitrary file on the compute host. Then the attacker triggers a snapshot request. The snapshot operation will read the targeted file from the host. No additional privileges beyond standard instance usage are required [2].

Impact

Successful exploitation allows an authenticated user to read an arbitrary file from the compute host. The file must be readable by the nova user (or by root when LVM is used for instance storage) to be exposed. This can lead to information disclosure of sensitive host data, such as configuration files or keys [2].

Mitigation

Fixed in Nova versions 2015.1.3 (kilo) and 12.0.1 (liberty), released around January 2016. Patches are available and were backported to Mitaka as well [2]. Upgrading to the fixed versions is the recommended mitigation. Users who cannot upgrade should ensure use_cow_images is set to True (the default) or use a non-vulnerable storage backend (such as Ceph). Red Hat issued RHSA-2016-0018 for affected Red Hat Enterprise Linux OpenStack Platform releases [1]. The vulnerability is not listed in the CISA KEV catalog.