[security] CVE-2013-5211 vulnerability on MOS controllers

Bug #1505235 reported by Eugene Korekin
308
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Stanislaw Bogatkin
6.0.x
Invalid
High
Denis Meltsaykin
7.0.x
Fix Released
High
Stanislaw Bogatkin

Bug Description

MOS controllers are susceptible to CVE-2013-5211
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5211.html

Default Ubuntu ntpd installations include these lines in /etc/ntp.conf:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

But /etc/ntp.conf on MOS controllers does not contain 'default' in first of these lines:

restrict -4 kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

and so is vulnerable.

This vulnerability is already exploited in some of our test installations in Czech datacenter.
I confirmed it on MOS 7.0 but other releases might contain the same bug.

CVE References

description: updated
Changed in mos:
assignee: nobody → MOS Maintenance (mos-maintenance)
information type: Public → Private Security
Dmitry Pyzhov (dpyzhov)
no longer affects: mos/8.0.x
Dmitry Pyzhov (dpyzhov)
Changed in mos:
importance: Undecided → High
status: New → Confirmed
Dmitry Pyzhov (dpyzhov)
tags: added: 70mu1-confirmed
Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :
Changed in mos:
status: Confirmed → In Progress
Revision history for this message
Stanislaw Bogatkin (sbogatkin) wrote :
Changed in mos:
status: In Progress → Fix Committed
tags: removed: 70mu1-confirmed
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

As we have no way to deliver fuel-library fixes in Fuel 5.1.1, the issue and the fix will be described in the Release Notes.

Dmitry Pyzhov (dpyzhov)
tags: added: area-library
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Setting this as Invalid for 5.1.1-updates, as neither CentOS nor Ubuntu nodes are vulnerable, i.e. they already have all the needed options in their ntp.confs

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

I was unable to reproduce this issue on 6.1GA Ubuntu. It looks like the templates for NTP are synced with upstream's NTP manifests in 2014 by this commit https://github.com/openstack/fuel-library/commit/de4ddd341c66a2dfeea9c1c5b87c21c984b0fae3#diff-e7e2ab0b3389498d5cef4d2d057d3599R46
These templates contain all the needed restrictions and should be used during installation, what is actually happening on vanilla 6.1GA.
Therefore, setting this as Invalid for 6.1-updates.

tags: added: on-verification
affects: mos → fuel
Changed in fuel:
milestone: 8.0 → none
milestone: none → 8.0
no longer affects: ubuntu
no longer affects: mos/5.1.x
no longer affects: mos/6.0.x
no longer affects: mos/6.1.x
no longer affects: mos/7.0.x
information type: Private Security → Public Security
Revision history for this message
Dmitry (dtsapikov) wrote :

Verified on 7.0

After installation of new packages we have next strings in /etc/ntp.conf:

...
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
...

tags: removed: on-verification
tags: added: 7.0-mu-2
tags: added: on-verification
Revision history for this message
Mikhail Samoylov (msamoylov) wrote :

Verified on 8.0
Scenario:
1. Deploy cluster with 1 controller + 1 compute
2. Check /etc/ntp.conf:

Actual result:
root@node-5:~# grep "restrict" /etc/ntp.conf
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

Expected result:
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

Fuel version:
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "506"
  build_id: "506"
  fuel-nailgun_sha: "8e954abd70ef0083109f34289de2553dcda544d4"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "ec7e212972ead554f21b52b9e165156665f659df"
  fuel-ostf_sha: "ab5fd151fc6c1aa0b35bc2023631b1f4836ecd61"
  fuel-mirror_sha: "351d568fa3b3e4dd062054b91d766aa54d379867"
  fuelmenu_sha: "234cb4cbb30fbd2df00f388c28f31606d9cae15f"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "94507c5e4dad6d8cfbd8f5d41aa8389d5335990a"

tags: removed: on-verification
Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.