OpenStack-Cinder Vulnerability: Improper Handling Of PowerFlex Backend Credentials (CVE-2020-10755)
Summary: This security vulnerability is present when using Cinder with PowerFlex storage backend.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
This security vulnerability applies only when using a PowerFlex Backend with Cinder. Other drivers are not impacted.
Cause
When using Cinder with the Dell EMC ScaleIO backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This enables an end user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO Management API, should an attacker discover the Management API endpoint.
Resolution
Workaround
Apply the recommended actions in the Openstack article below:
https://wiki.openstack.org/wiki/OSSN/OSSN-0086
Impacted Versions
2.x, 3.x
Fixed In Version
N/A
Affected Products
PowerFlex Software, VxFlex Product Family, VxFlex Ready Node, Ready Node SeriesArticle Properties
Article Number: 000203257
Article Type: Solution
Last Modified: 18 Feb 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.