Vulnerability CVE-2017-18191
Published: 2018-02-19

Description:
An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. (The same code error also results in data loss, but that is not a vulnerability because the user loses their own data.) All Nova setups supporting encrypted volumes are affected.

Type:

CWE-noinfo

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete
Affected software
Redhat -> Openstack 
Openstack -> NOVA 

 References:
http://openwall.com/lists/oss-security/2018/04/20/3
http://www.securityfocus.com/bid/103104
https://access.redhat.com/errata/RHSA-2018:2332
https://access.redhat.com/errata/RHSA-2018:2714
https://access.redhat.com/errata/RHSA-2018:2855
https://launchpad.net/bugs/1739593
https://review.openstack.org/539893
https://security.openstack.org/ossa/OSSA-2018-001.html
Copyright 2024, cxsecurity.com

 

Back to Top