Vulnerabilities > CVE-2014-3608 - Resource Management Errors vulnerability in Openstack Nova

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_NOVA_20141120.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. (CVE-2014-2573) - The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. (CVE-2014-3608)
    last seen2020-06-01
    modified2020-06-02
    plugin id80712
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80712
    titleOracle Solaris Third-Party Patch Update : nova (multiple_vulnerabilities_in_nova)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Oracle Third Party software advisories.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(80712);
      script_version("1.2");
      script_cvs_date("Date: 2018/11/15 20:50:25");
    
      script_cve_id("CVE-2014-2573", "CVE-2014-3608");
    
      script_name(english:"Oracle Solaris Third-Party Patch Update : nova (multiple_vulnerabilities_in_nova)");
      script_summary(english:"Check for the 'entire' version.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Solaris system is missing a security patch for third-party
    software."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote Solaris system is missing necessary patches to address
    security updates :
    
      - The VMWare driver in OpenStack Compute (Nova) 2013.2
        through 2013.2.2 does not properly put VMs into RESCUE
        status, which allows remote authenticated users to
        bypass the quota limit and cause a denial of service
        (resource consumption) by requesting the VM be put into
        rescue and then deleting the image. (CVE-2014-2573)
    
      - The VMWare driver in OpenStack Compute (Nova) before
        2014.1.3 allows remote authenticated users to bypass the
        quota limit and cause a denial of service (resource
        consumption) by putting the VM into the rescue state,
        suspending it, which puts into an ERROR state, and then
        deleting the image. NOTE: this vulnerability exists
        because of an incomplete fix for CVE-2014-2573.
        (CVE-2014-3608)"
      );
      # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4a913f44"
      );
      # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-nova
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?dd1a01aa"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.2.4.6.0.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:nova");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("solaris.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Solaris11/release");
    if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");
    pkg_list = solaris_pkg_list_leaves();
    if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages");
    
    if (empty_or_null(egrep(string:pkg_list, pattern:"^nova$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "nova");
    
    flag = 0;
    
    if (solaris_check_release(release:"0.5.11-0.175.2.4.0.6.0", sru:"SRU 11.2.4.6.0") > 0) flag++;
    
    if (flag)
    {
      error_extra = 'Affected package : nova\n' + solaris_get_report2();
      error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra);
      if (report_verbosity > 0) security_note(port:0, extra:error_extra);
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_PACKAGE_NOT_AFFECTED, "nova");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2407-1.NASL
    descriptionGarth Mollett discovered that OpenStack Nova did not properly clean up an instance when using rescue mode with the VMware driver. A remove authenticated user could exploit this to bypass intended quota limits. By default, Ubuntu does not use the VMware driver. (CVE-2014-3608) Amrith Kumar discovered that OpenStack Nova did not properly sanitize log message contents. Under certain circumstances, a local attacker with read access to Nova log files could obtain access to sensitive information. (CVE-2014-7230). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id79213
    published2014-11-12
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79213
    titleUbuntu 14.04 LTS : nova vulnerabilities (USN-2407-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2407-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79213);
      script_version("1.6");
      script_cvs_date("Date: 2019/09/19 12:54:30");
    
      script_cve_id("CVE-2014-3608", "CVE-2014-7230");
      script_xref(name:"USN", value:"2407-1");
    
      script_name(english:"Ubuntu 14.04 LTS : nova vulnerabilities (USN-2407-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Garth Mollett discovered that OpenStack Nova did not properly clean up
    an instance when using rescue mode with the VMware driver. A remove
    authenticated user could exploit this to bypass intended quota limits.
    By default, Ubuntu does not use the VMware driver. (CVE-2014-3608)
    
    Amrith Kumar discovered that OpenStack Nova did not properly sanitize
    log message contents. Under certain circumstances, a local attacker
    with read access to Nova log files could obtain access to sensitive
    information. (CVE-2014-7230).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2407-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected python-nova package."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-nova");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"python-nova", pkgver:"1:2014.1.3-0ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-nova");
    }
    

Redhat

advisories
  • rhsa
    idRHSA-2014:1781
  • rhsa
    idRHSA-2014:1782
rpms
  • openstack-nova-0:2014.1.3-4.el6ost
  • openstack-nova-api-0:2014.1.3-4.el6ost
  • openstack-nova-cells-0:2014.1.3-4.el6ost
  • openstack-nova-cert-0:2014.1.3-4.el6ost
  • openstack-nova-common-0:2014.1.3-4.el6ost
  • openstack-nova-compute-0:2014.1.3-4.el6ost
  • openstack-nova-conductor-0:2014.1.3-4.el6ost
  • openstack-nova-console-0:2014.1.3-4.el6ost
  • openstack-nova-doc-0:2014.1.3-4.el6ost
  • openstack-nova-network-0:2014.1.3-4.el6ost
  • openstack-nova-novncproxy-0:2014.1.3-4.el6ost
  • openstack-nova-objectstore-0:2014.1.3-4.el6ost
  • openstack-nova-scheduler-0:2014.1.3-4.el6ost
  • python-nova-0:2014.1.3-4.el6ost
  • openstack-nova-0:2014.1.3-4.el7ost
  • openstack-nova-api-0:2014.1.3-4.el7ost
  • openstack-nova-cells-0:2014.1.3-4.el7ost
  • openstack-nova-cert-0:2014.1.3-4.el7ost
  • openstack-nova-common-0:2014.1.3-4.el7ost
  • openstack-nova-compute-0:2014.1.3-4.el7ost
  • openstack-nova-conductor-0:2014.1.3-4.el7ost
  • openstack-nova-console-0:2014.1.3-4.el7ost
  • openstack-nova-doc-0:2014.1.3-4.el7ost
  • openstack-nova-network-0:2014.1.3-4.el7ost
  • openstack-nova-novncproxy-0:2014.1.3-4.el7ost
  • openstack-nova-objectstore-0:2014.1.3-4.el7ost
  • openstack-nova-scheduler-0:2014.1.3-4.el7ost
  • python-nova-0:2014.1.3-4.el7ost