Cinder

Cinder Brocade driver does not do certificate validation

Bug #1661333 reported by Divya K Konoor on 2017-02-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

It is observed that the brocade driver found at cinder/zonemanager/drivers/brocade/brcd_http_fc_zone_client.py makes a https connection to the switch (virtual fabric) without certificate validation. As seen in the code below,the code creates a requests session and hard-codes certificate verification as False , thus disabling certificate validation in all cases. There's no option to enable certificate validation (verify=True) or point to the path of the root certificate (verify=<path>)

            if requestType == zone_constant.GET_METHOD:
                response = self.session.get(url,
                                            headers=(header),
                                            verify=False)
            elif requestType == zone_constant.POST_METHOD:
                response = self.session.post(url,
                                             payload,
                                             headers=(header),
                                             verify=False)

This could lead to insecure communication and man-in-the-middle attacks.

Tags:

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-02-02:

This is just a duplicate of long-standing (public hardening opportunity) bug 1188189 and corresponding OSSN-0033 ( https://wiki.openstack.org/wiki/OSSN/OSSN-0033 ) right? I'm pretty sure the OpenStack VMT wouldn't issue an advisory in this case nor is there much point in keeping the issue private and embargoed.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2017-02-03:

bug 1188189 talks about certificate validation problems with code using HTTPSConnection objects in Python 2.x..This defect talks about a certificate validation skipped specifically in the cinder brocade driver (which uses requests library) . So, this bug would obviously not be a duplicate of the former bug.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2017-02-03:

I think fungi is specifically referring to comment #10 of bug 1188189 which seems to match this bug report: This certificate validation is skipped for a for serverside node-to-node communication that could be assumed to happen on private networks.

Unless mistaken, this doesn't deserve an advisory nor to be kept under embargo, it sounds like a class D type of report (according to https://security.openstack.org/vmt-process.html#incident-report-taxonomy ).

Revision history for this message

Jeremy Stanley (fungi) wrote on 2017-02-07:

The following related reports were also submitted publicly today as security hardening opportunities:

bug 1662556
bug 1662558
bug 1662560
bug 1662561
bug 1662563
bug 1662564

Since there have been no objections from the core security reviewers for Cinder, I'm going ahead and switching this to a public hardening opportunity report similarly.

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public
tags:	added: security

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.