CVE-2015-3156 in OpenStack
Summary
by MITRE
The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/06/2019
The vulnerability described in CVE-2015-3156 represents a critical symlink attack flaw affecting OpenStack Trove's database-as-a-service implementation. This vulnerability specifically targets multiple database service components including mongodb, postgresql, redis, mysql, cassandra, and couchbase implementations within the Trove guest agent. The core issue stems from improper handling of temporary files during configuration management and backup operations, creating opportunities for local privilege escalation through symbolic link manipulation. The affected functions operate within the guest agent's datastore implementations where configuration files are written during service operations, backup processes, and restore procedures. This flaw enables attackers with local access to manipulate critical system configuration files by exploiting the insecure temporary file creation patterns used by these database service implementations.
The technical exploitation of this vulnerability occurs when the affected functions create temporary files without proper security checks or validation mechanisms. During normal operation, these functions typically generate temporary files in predictable locations, which can then be replaced with symbolic links pointing to sensitive configuration files. The attack vector specifically targets the write_config, _write_config, _write_mycnf, and various backup/restore methods that handle database service configuration management. When these functions execute and write to what they believe to be temporary files, they inadvertently overwrite or modify actual configuration files due to the symbolic link manipulation. This represents a classic insecure temporary file handling pattern that falls under CWE-355, which addresses inadequate protection of temporary files. The vulnerability exists because the code does not properly validate the security context of temporary file creation, allowing attackers to establish symbolic links before the vulnerable functions create their temporary files.
The operational impact of this vulnerability is severe within OpenStack Trove environments, as it provides local attackers with the ability to modify critical database service configurations, potentially leading to privilege escalation, service disruption, or data compromise. Attackers could manipulate database service settings to redirect connections, modify authentication parameters, or disable security features, effectively compromising the integrity and availability of database services managed by Trove. The vulnerability affects all database implementations within Trove's experimental datastore support, making it particularly dangerous as it spans multiple database technologies and service types. The impact extends beyond simple configuration modification, as compromised database services could lead to unauthorized data access, service outages, or even complete system compromise depending on the privileges of the affected service accounts. This vulnerability directly maps to ATT&CK technique T1059.001 for command and scripting interpreter usage, and T1068 for exploit for privilege escalation, as attackers can leverage the configuration file manipulation to gain elevated system privileges.
Mitigation strategies for CVE-2015-3156 focus on implementing proper temporary file handling security measures within the affected Trove components. The primary recommendation involves modifying the vulnerable functions to use secure temporary file creation methods that prevent symbolic link attacks, such as creating temporary files with proper permissions and using atomic operations. Organizations should ensure that all temporary file operations within database service implementations use secure patterns that check for existing symbolic links or create files with unique, unpredictable names in secure directories. The fix requires implementing proper file validation before writing to temporary locations, using umask settings to restrict file permissions, and ensuring that temporary files are created with appropriate ownership and access controls. Additionally, upgrading to OpenStack versions after the 2015.1.0 release (Kilo) resolves this vulnerability, as the affected code was patched in subsequent releases. Organizations should also implement monitoring for unauthorized configuration file modifications and establish proper access controls to limit local user privileges within Trove guest agents. The remediation process should include comprehensive code review of all temporary file handling operations within database service implementations to prevent similar vulnerabilities from existing in other components.