Cinder

Brocade FC SAN lookup vulnerable to MITM

Bug #1391311 reported by Matthew Edmonds on 2014-11-10

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Cinder	Fix Released	Undecided	Ryan McNair	Cinder 2015.1.0 "kilo"
Icehouse	Won't Fix	Undecided	Unassigned
Juno	Fix Released	Undecided	Unassigned	Cinder 2014.2.1
OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

The Brocade FC SAN lookup service implementation (cinder/zonemanager/drivers/brocade/brcd_fc_san_lookup_service.py) is not doing known_hosts checks when instantiated via the base lookup service (cinder/zonemanager/fc_san_lookup_service.py). The Brocade implementation is coded to do these checks if it is passed specific kwargs during instantiation, but the base lookup service is not passing those kwargs.

See original description

Tags:

Matthew Edmonds (edmondsw) on 2014-11-10

description:

updated

Jeremy Stanley (fungi) on 2014-11-10

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2014-11-11:

proposed a fix: https://review.openstack.org/#/c/133831/

Changed in cinder:
assignee:	nobody → Matthew Edmonds (edmondsw)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-11-11:

While the change doesn't specifically call itself out as a security fix, it links to a private bug and anyone trying to follow that link will pretty quickly figure out why they can't view it. I think we have no choice at this point but to continue this bug in public now.

information type:

Private Security → Public Security

OpenStack Infra (hudson-openstack) on 2014-11-12

Changed in cinder:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-14: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/133831
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=ab4f57212683baec45d5b682bdd3952ff58249ed
Submitter: Jenkins
Branch: master

commit ab4f57212683baec45d5b682bdd3952ff58249ed
Author: Matthew Edmonds <email address hidden>
Date: Tue Nov 11 16:03:23 2014 -0500

Fix Brocade FC SAN lookup MITM vulnerability

    Modify the Brocade FC SAN lookup service implementation to use the
    same SSH key config properties used elsewhere rather than relying on
    arguments which are non-standard and never passed by the base lookup
    service.

Change-Id: I0cb5141368bc9a62a4e0374026d66fc2725cfe24
Closes-Bug: 1391311

Changed in cinder:
status:	In Progress → Fix Committed

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-11-14:

I think this bug falls under the category of securing internal service communication, which the VMT has previously declared a security hardening fix rather than something which would trigger an advisory (at least until security of internal communication between OpenStack components becomes ubiquitous such that these bugs are the exception rather than the norm).

So probably we shouldn't consider this as an OSSA candidate and switch it from a vulnerability to a security hardening fix. Does anyone disagree?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-14: Fix proposed to cinder (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/134600

Revision history for this message

Jay Bryant (jsbryant) wrote on 2014-11-14:

Agreed. This is consistent with the way we have handled other similar fixes.

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2014-11-14:

We talked about this kind of vulnerability back at the end of icehouse and it was supposed to be resolved in cinder for Juno. Changes went into cinder's ssh_utils to address it. This snuck through because it doesn't use ssh_utils. If the expectation was that things were supposed to be addressed in Juno, then doesn't that make this advisory-worthy?

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-11-14:

I suppose that depends on whether 1. all Cinder driver interactions were subsequently audited to confirm this was implemented across the board, 2. the same is implemented for other internal communication relied on by Cinder (HTTPS with certificate validation for REST calls? encrypted and authenticated message queues?), and 3. we plan to phase in "secured internal communication" expectations in different parts of the OpenStack integrated release at different times (how many sites are running Cinder with no Nova?).

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-14: Fix merged to cinder (stable/juno)

Reviewed: https://review.openstack.org/134600
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=628196e46e96e936a1c81685dbe9c22a4afff02f
Submitter: Jenkins
Branch: stable/juno

commit 628196e46e96e936a1c81685dbe9c22a4afff02f
Author: Matthew Edmonds <email address hidden>
Date: Tue Nov 11 16:03:23 2014 -0500

Fix Brocade FC SAN lookup MITM vulnerability

    Change-Id: I0cb5141368bc9a62a4e0374026d66fc2725cfe24
    Closes-Bug: 1391311
    (cherry picked from commit ab4f57212683baec45d5b682bdd3952ff58249ed)

tags:

added: in-stable-juno

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-11-17:

#10

I agree with Jeremy's comments. While I applaud Cinder's efforts to clean things up on the management network, we can't realt consider the rest of the integrated release to be up to that standard yet, so I don't think we should set false expectations by raising an OSSA for this.

Would be great to get a status of how far we are from the ultimate target though.

Thierry Carrez (ttx) on 2014-11-24

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Public Security → Public

Thierry Carrez (ttx) on 2014-12-18

Changed in cinder:
milestone:	none → kilo-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in cinder:
milestone:	kilo-1 → 2015.1.0

Ryan McNair (rdmcnair) on 2015-08-28

Changed in cinder:
assignee:	Matthew Edmonds (edmondsw) → Ryan McNair (rdmcnair)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-28: Fix proposed to cinder (master)

#11

Fix proposed to branch: master
Review: https://review.openstack.org/218341

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-22: Fix merged to cinder (master)

#12

Reviewed: https://review.openstack.org/218341
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=46fdb37c68b605d26f98ac673ebe4e70c39b4b99
Submitter: Jenkins
Branch: master

commit 46fdb37c68b605d26f98ac673ebe4e70c39b4b99
Author: Ryan McNair <email address hidden>
Date: Thu Aug 27 20:51:14 2015 +0000

Fix MITM vulnerability for Brocade FC SAN lookup

    Refactor the Brocade FC SAN lookup service implementation to use
    common SSH utilities which already avoid MITM vulnerabilities.
    This is a follow-up to https://review.openstack.org/#/c/138526/
    which reverted an incomplete fix for the MITM issues for Brocade.

Change-Id: I2d87b55f56f08208f0da11cac40682d51da5b536
Closes-Bug: #1391311

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.