CVE-2024-40767

Root

Cause

CVE-2024-40767 is a path-traversal vulnerability in OpenStack Nova that arises from incomplete fixes for two prior CVEs: CVE-2022-47951 and CVE-2024-32498 [1][4]. When Nova handles raw-format images, it does not sufficiently validate that the supplied file is actually a raw image; an attacker can upload a crafted QCOW2 image that specifies a backing file path or a VMDK flat image containing a descriptor file path [2]. These paths can point to arbitrary files on the server's filesystem.

Exploitation

An authenticated OpenStack user can upload such a crafted image (e.g., a QCOW2 file with a backing file set to /etc/hosts or a VMDK with a descriptor file pointing at the same) and then boot an instance from that image [2]. The Nova compute service, when preparing the instance disk, will follow the embedded path and access the target file. The attack requires only standard user credentials for image upload and instance boot; no administrative privileges or special network access are needed [1][4].

Impact

Successful exploitation allows an authenticated user to read arbitrary files from the Nova compute node's filesystem. Sensitive data, such as configuration files, cryptographic keys, or other secrets accessible to the Nova process, can be exfiltrated [1][4]. The vulnerability affects all Nova deployments, including those that had previously applied fixes for the related CVEs [1].

Mitigation

Red Hat and the OpenStack project have released patched versions: Nova 27.4.1, 28.2.1, and 29.1.1 [1][4]. Operators should upgrade to these or later versions immediately. The fix strengthens image format validation to detect and reject crafted QCOW2 and VMDK files that attempt to specify backing or descriptor file paths outside of allowed boundaries [2][4].