Statement on CVE-2024-22033 – Compromise of Open Build Service via source services

Maxime Rinaudo of Fenrisk (http://fenrisk.com) found a security vulnerability in one of the services that are available on the open build service (https://build.opensuse.org/). He disclosed this to us privately to allow us to fix it before he publicly discloses it. We appreciate this very much and would like to thank him for that again.

On March 14th the issue was presented at the conference Insomni’hack and received public coverage in e.g. LWN (https://lwn.net/Articles/1014741/). Unfortunately the impact of this vulnerability is overstated:

“Their exploitation by malicious actors would have led to the compromise of all the packages of the distributions Fedora and openSUSE, as well as their downstream distributions, impacting millions of Linux servers and desktops.”

While this is a serious vulnerability that needed to be fixed quickly, the impact was inaccurately described. Services in our build environment run in freshly created, isolated containers that do not contain sensitive information. This vulnerability alone is not enough to compromise the openSUSE build infrastructure and the resulting packages because defense-in-depth is an integral part of the design of the Open Build Service.

In addition we have also review processes for our distribution packages which disallow the usage of the services in the way it was required to exploit this issue. This vulnerability was only exploitable when used by packager on a local workstation while working on foreign and harmful sources by a third party. The packager may then be tricked into committing content which he did not want to publish.

We would like to thank Maxime again for his report and hope that this statement allows users to better understand the impact of this security vulnerability.

Marcus Meissner for SUSE Product Security