libvirt accessible by default via an unauthenticated, unencrypted TCP connection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
High
|
Mark Goddard |
Bug Description
In Kolla Ansible OpenStack deployments, by default, libvirt is configured to allow read-write access via an unauthenticated, unencrypted TCP connection, using the internal API network. This is to facilitate migration between hosts.
By default, Kolla Ansible does not use encryption for services on the internal network (and did not support it until Ussuri). However, most other services on the internal network are at least authenticated (usually via passwords), ensuring that they cannot be used by anyone with access to the network, unless they have credentials.
The main issue here is the lack of authentication. Any client with access to the internal network is able to connect to the libvirt TCP port and make arbitrary changes to the hypervisor. This could include starting a VM, modifying an existing VM, etc. Given the flexibility of the domain options, it could be seen as equivalent to having root access to the hypervisor.
Kolla Ansible supports libvirt TLS [1] since the Train release, using client and server certificates for mutual authentication and encryption. However, this feature is not enabled by default, and requires certificates to be generated for each compute host.
Kolla Ansible should configure SASL username/password authentication by default, as described in https:/
[1] https:/
information type: | Private Security → Public Security |
This bug report suggests libvirt client certs alone are not secure as an authentication method. https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1513440. Unfortunately I can't access the linked bug report, https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1510216.