OpenStack Compute (nova)

Small window of access to kvmhost with l3 driver and floating ips

Bug #1100435 reported by Mingyan Bao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Mingyan Bao
OpenStack Compute (nova) 2013.1 "grizzly"

Bug Description

We noticed that when floating IP addresses were being assigned to instances, the L3 driver binds the IP to the kvmhost’s public interface first, and then setup the NAT rules. This gives a window of opportunity for traffic for floating IP to go to the kvmhost instead of the instance. I traced the issue to nova/network/l3.py, add_floating_ip method:

Original:
    def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
        linux_net.bind_floating_ip(floating_ip, l3_interface_id)
        linux_net.ensure_floating_forward(floating_ip, fixed_ip)

Modified:
    def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
        linux_net.ensure_floating_forward(floating_ip, fixed_ip)
        linux_net.bind_floating_ip(floating_ip, l3_interface_id)

I think setting up the NAT rules first then binding the IP should be okay. I tested and it seems to work.

Tags: security
Revision history for this message
Vish Ishaya (vishvananda) wrote :

makes sense to do them in the reverse order. I would probably be ok making this bug public since it the window is incredibly small and there is only an exploit if there is a vulnerable service running on the host

Changed in nova:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Thierry Carrez (ttx) wrote :

Yes, this is a welcome strengthening (and should definitely be fixed) but there is no real vulnerability to be exploited, so we won't embargo the fix and do an advisory about it.

tags: added: security
information type: Private Security → Public
summary: - Potential kvmhost security hole with l3 driver and floating ips
+ Small window of access to kvmhost with l3 driver and floating ips
Mingyan Bao (bao-mingyan)
Changed in nova:
assignee: nobody → Mingyan Bao (bao-mingyan)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/21228
Committed: http://github.com/openstack/nova/commit/12c73ee65372fd1b0a3d3417cd91e548fd7afd2b
Submitter: Jenkins
Branch: master

commit 12c73ee65372fd1b0a3d3417cd91e548fd7afd2b
Author: mingyan bao <email address hidden>
Date: Mon Feb 4 15:52:33 2013 -0700

    l3.py,add_floating_ip: setup NAT before binding

    fix for bug 1100435

    Change-Id: Iad022f61297fe26edb230ba7b9e31d73df99b5a5

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
Revision history for this message
Robert Clark (robert-clark) wrote :

Glad to see this is fixed. I would consider it to be somewhat concerning for those of us running a public cloud, sure there's a small window but it's repeatable, I believe a motivated attacker with other points-of-presence on-cloud could probably find interesting ways to abuse this.

All that being said, it's far from the lowest hanging fruit.

Revision history for this message
Jason Hullinger (jason-hullinger) wrote : Re: [Bug 1100435] Re: Small window of access to kvmhost with l3 driver and floating ips

That's why it takes a few seconds from when a VM launches to when you can
actually ssh to it.

On 4/4/13 10:53 AM, "Robert Clark" <email address hidden> wrote:

>Glad to see this is fixed. I would consider it to be somewhat concerning
>for those of us running a public cloud, sure there's a small window but
>it's repeatable, I believe a motivated attacker with other points-of-
>presence on-cloud could probably find interesting ways to abuse this.
>
>All that being said, it's far from the lowest hanging fruit.
>
>--
>You received this bug notification because you are a member of OpenStack
>Security Group, which is subscribed to OpenStack.
>https://bugs.launchpad.net/bugs/1100435
>
>Title:
> Small window of access to kvmhost with l3 driver and floating ips
>
>Status in OpenStack Compute (Nova):
> Fix Released
>
>Bug description:
> We noticed that when floating IP addresses were being assigned to
> instances, the L3 driver binds the IP to the kvmhost¹s public
> interface first, and then setup the NAT rules. This gives a window of
> opportunity for traffic for floating IP to go to the kvmhost instead
> of the instance. I traced the issue to nova/network/l3.py,
> add_floating_ip method:
>
> Original:
> def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
> linux_net.bind_floating_ip(floating_ip, l3_interface_id)
> linux_net.ensure_floating_forward(floating_ip, fixed_ip)
>
> Modified:
> def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
> linux_net.ensure_floating_forward(floating_ip, fixed_ip)
> linux_net.bind_floating_ip(floating_ip, l3_interface_id)
>
>
> I think setting up the NAT rules first then binding the IP should be
>okay. I tested and it seems to work.
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/nova/+bug/1100435/+subscriptions

Revision history for this message
Kurt Seifried (kseifried) wrote :

A few seconds is a long time when it comes to network traffic/talking to hosts, this exposes the underlying system in a way that is probably not meant to happen. I think this probably deserves a CVE, is there any reason this has not gotten one?

Revision history for this message
Robert Clark (robert-clark) wrote :

+1 for a CVE

Revision history for this message
Randy Perryman (randy-perryman) wrote : RE: [Bug 1100435] Re: Small window of access to kvmhost with l3 driver and floating ips

+1

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Robert Clark
Sent: Thursday, April 04, 2013 3:24 PM
To: Perryman, Randy
Subject: [Bug 1100435] Re: Small window of access to kvmhost with l3 driver and floating ips

+1 for a CVE

--
You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1100435

Title:
  Small window of access to kvmhost with l3 driver and floating ips

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  We noticed that when floating IP addresses were being assigned to
  instances, the L3 driver binds the IP to the kvmhost’s public
  interface first, and then setup the NAT rules. This gives a window of
  opportunity for traffic for floating IP to go to the kvmhost instead
  of the instance. I traced the issue to nova/network/l3.py,
  add_floating_ip method:

  Original:
      def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
          linux_net.bind_floating_ip(floating_ip, l3_interface_id)
          linux_net.ensure_floating_forward(floating_ip, fixed_ip)

  Modified:
      def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
          linux_net.ensure_floating_forward(floating_ip, fixed_ip)
          linux_net.bind_floating_ip(floating_ip, l3_interface_id)

  I think setting up the NAT rules first then binding the IP should be okay. I tested and it seems to work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1100435/+subscriptions

Revision history for this message
Thomas Biege (thomas-suse-deactivatedaccount) wrote :

Yes, this needs a CVE-ID. (BTW most of the other issue I saw getting fixed in Grizzly within this week need one too from my POV).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.