CVE-2022-38065: OpenStack Privilege Escalation Vulnerability

Two high-risk privilege escalation vulnerabilities have been reported in OpenStack and OpenStack Kolla by security researcher Keane O’Kelley at Cisco ASIG.

OpenStack is a collection of interoperable components that can be deployed to provide computing, networking, and storage resources. Those infrastructure resources can then be accessed by end users through programmable APIs. Kolla provides production-ready containers and deployment tools for operating OpenStack clouds.

CVE-2022-38065

OpenStack could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the oslo.privsep function. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges. Tracked as CVE-2022-38065 (CVSS score: 8.8), the flaw was reported to the Openstack developer on September 07 this year.

“OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova,” Cisco Talos’ security advisory says. “Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os_brick module contains functions to execute arbitrary shell commands as root.”