CVE-2024-32498: Critical OpenStack Flaw Exposes Cloud Data to Attackers

The OpenStack Foundation has issued an urgent security advisory, disclosing a critical vulnerability (CVE-2024-32498, CVSS 8.8) affecting multiple core components of its cloud infrastructure platform. This flaw could allow malicious actors to gain unauthorized access to sensitive data within Cinder (block storage), Glance (image management), and Nova (compute) services.

Martin Kaesberger reported this vulnerability, which exploits the QCOW2 image processing mechanism within Cinder, Glance, and Nova. An authenticated user can supply a specially crafted QCOW2 image that references a specific data file path. When processed, the system could be tricked into returning the contents of the referenced file from the server, potentially leading to unauthorized access to sensitive data.

“By supplying a specially created QCOW2 image which references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server resulting in unauthorized access to potentially sensitive data,”  reads the security advisory.

The following versions are affected by CVE-2024-32498:

• Cinder: Versions <22.1.3, >=23.0.0 <23.1.1, and 24.0.0
• Glance: Versions <26.0.1, 27.0.0, and >=28.0.0 <28.0.2
• Nova: Versions <27.3.1, >=28.0.0 <28.1.1, and >=29.0.0 <29.0.3

“While an attacker must have valid login credentials to exploit this vulnerability, OpenStack supports multiple deployment scenarios with a variety of security postures. Open-cloud or multi-tenant deployments where infrastructure is shared by users who may be untrusted should treat this vulnerability as if it could be performed by an unauthenticated attacker. Considering this, along with the significant potential for disruption, we have rated the severity of this vulnerability as Critical,” reads the RedHat security advisory.

Due to the complexity of the fixes and the potential for regressions, OpenStack’s security team coordinated a detailed disclosure period. Despite their efforts, downstream stakeholders reported additional regressions and bypasses, necessitating revised patches. This led to a slight delay beyond the originally scheduled publication date, extending the advisory release by four days past the promised ninety-day maximum embargo period.

OpenStack users and administrators are strongly advised to update their deployments to the latest patched versions of Cinder, Glance, and Nova immediately. The Foundation has released security patches to address the vulnerability.