Virtual Machines VNC consoles are accessible from any network
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Invalid
|
Medium
|
Javier Diaz Jr | ||
Bug Description
Detailed bug description:
VNC consoles of running OpenStack VMs are accessible through the hostname/IP of a compute node and a specified port. Authentication is still required for the VM, but the VM is susceptible to a brute-force attack.
Steps to reproduce:
Using a VNC viewer use the IP of a compute node along with a VM port and you will gain access to the VNC console.
Expected results:
Console access should not work.
Actual result:
VNC connects successfully.
Reproducibility:
100%
Workaround:
ip tables
Impact:
Unauthorized access to VNC consoles of running VMs is possible. Such access may be used to
brute-force passwords, to reset or reboot a VM, or to gain an immediate access if a VM guest
operating systems are configured for the automatic login in console.
Description of the environment:
MOS 9.1 and MOS 9.2
| Changed in mos: | |
| importance: | Undecided → Medium |
| assignee: | nobody → MOS Maintenance (mos-maintenance) |
| milestone: | 9.x-updates → 9.2-mu-8 |
| Vladimir Khlyunev (vkhlyunev) wrote | #1 |
| Changed in mos: | |
| status: | Confirmed → Incomplete |
| assignee: | MOS Maintenance (mos-maintenance) → Javier Diaz Jr (javierdiazcharles) |
| Javier Diaz Jr (javierdiazcharles) wrote | #2 |
| Changed in mos: | |
| status: | Incomplete → Invalid |
| Changed in mos: | |
| milestone: | 9.2-mu-8 → 9.x-updates |
Hi Javier,
can you tell us - from which network VNC console are accessible? MOS reference architecture uses compute nodes isolated from external networks. Only private and management networks should be attached to this nodes. VNC consoles are available via VNCProxy through controller nodes (this way is protected with auth). So it means that open VNC ports should not be an issue (moreover for VNCProxy this ports should be open for management network)