CVE-2022-44020 - Security Vulnerability in OpenStack Sushy-Tools and VirtualBMC: Password Protection Disabled When Altering Boot Device Configuration

Recently, a security vulnerability has been discovered in OpenStack Sushy-Tools (versions up to .21.) and VirtualBMC (versions up to 2.2.2) that can lead to unauthorized access to the managed libvirt XML domain when changing the boot device configuration. The vulnerability is identified as CVE-2022-44020. In this post, we'll go over the details about this issue, consequences, and possible mitigation steps.

Vulnerability Details

The security issue is caused by a bug in the implementation of the change_boot method provided by OpenStack Sushy-Tools and VirtualBMC. When this method is used to change the boot device configuration, it inadvertently removes the password protection from the managed libvirt XML domain. However, it's important to note that this only affects an "unsupported, production-like configuration".

Originally reported by INSERT REPORTER NAME (Source: INSERT SOURCE URL), the issue was introduced in the following commit: INSERT COMMIT URL.

Here's a simplified version of the problematic code snippet

def change_boot(self, boot_device):
    # ...
    domain = self._get_domain()
    domain_xml = DomainXML(domain.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE))
    domain_xml.set_boot_device(boot_device)  # <- Boot device configuration being changed
    self._update_domain(domain_xml)
    # ...
    
def _update_domain(self, domain_xml):
    # ...
    self._conn.defineXMLFlags(xml.toxml(), libvirt.VIR_DOMAIN_DEFINE_VALIDATE | libvirt.VIR_DOMAIN_DEFINE_SKIP_VALIDATE)
    # ...

In this example, the change_boot method changes the boot device configuration by updating the DomainXML object. The _update_domain method is then called, which redefines the domain configuration in libvirt without considering the previously set password protection.

Exploit Details

An attacker with access to the system could exploit this vulnerability by altering the boot device configuration using the change_boot method. This would disable password protection on the managed libvirt XML domain, allowing an unauthorized individual to gain access to the domain and potentially launch further attacks.

Mitigation Steps

One possible mitigation is to avoid using OpenStack Sushy-Tools and VirtualBMC in a production-like configuration or avoid changing the boot device configuration using the provided method until the issue is resolved.

OpenStack Sushy-Tools

- Go to the official GitHub repository: https://github.com/openstack/sushy-tools
   - Check for the latest release to confirm if newer versions contain a fix for the issue: https://github.com/openstack/sushy-tools/releases

VirtualBMC

- Visit the official GitHub repository: https://github.com/openstack/virtualbmc
   - Check the latest release to verify if the fix is included: https://github.com/openstack/virtualbmc/releases
   - Follow the installation instructions provided in the repository to update your VirtualBMC installation.

Please remember to always keep your software up-to-date and monitor the latest security advisories for any discovered issues.

Conclusion

CVE-2022-44020 is a security vulnerability discovered in OpenStack Sushy-Tools and VirtualBMC that causes the removal of password protection from the managed libvirt XML domain when changing the boot device configuration. Although it only affects the "unsupported, production-like configuration", it's critical to understand the potential risks and take necessary mitigation steps to safeguard your systems from exploitation. Stay vigilant, and always ensure that your software is up-to-date and secured.

Timeline

Published on: 10/30/2022 00:15:00 UTC
Last modified on: 02/09/2023 01:33:00 UTC