Mirantis OpenStack

(CVE-2015-5240) Neutron firewall rules bypass through port update

Series 6.0.x
Bug #1489958

Bug #1489958 reported by Alexander Ignatov on 2015-08-28

262

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Committed	High	Alexander Ignatov	Mirantis OpenStack 7.0
5.1.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 5.1.1-mu-2
6.0.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 6.0-mu-7
6.1.x	Fix Released	High	Denis Puchkin	Mirantis OpenStack 6.1-mu-4
7.0.x	Fix Released	High	Alexander Ignatov	Mirantis OpenStack 7.0

Bug Description

This patch to backport fix for this CVE.

Original description
==========================

Kevin Benton from Mirantis reported a vulnerability in Neutron. By
changing the device owner of an instance's port right after it is
created, an authenticated user may prevent application of firewall rules
and so avoid IP anti-spoofing controls. All Neutron setups using the ML2
plugin or a plugin that relies on the security groups AMQP API are affected.

Tags:

CVE References

2015-5240

Revision history for this message

Kristina Berezovskaia (kkuznetsova) wrote on 2015-11-09:

verify on:
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "7.0"
  openstack_version: "2015.1.0-7.0"
  api: "1.0"
  build_number: "301"
  build_id: "301"
  nailgun_sha: "4162b0c15adb425b37608c787944d1983f543aa8"
  python-fuelclient_sha: "486bde57cda1badb68f915f66c61b544108606f3"
  fuel-agent_sha: "50e90af6e3d560e9085ff71d2950cfbcca91af67"
  fuel-nailgun-agent_sha: "d7027952870a35db8dc52f185bb1158cdd3d1ebd"
  astute_sha: "6c5b73f93e24cc781c809db9159927655ced5012"
  fuel-library_sha: "5d50055aeca1dd0dc53b43825dc4c8f7780be9dd"
  fuel-ostf_sha: "2cd967dccd66cfc3a0abd6af9f31e5b4d150a11c"
  fuelmain_sha: "a65d453215edb0284a2e4761be7a156bb5627677"
vlan+neutron, 3 controllers, 2 compute

Steps: create new user with member role, create as admin shared network. Log in as member user, create port in shared network, try to update it. Result: neutron port-update d666ec3b-f2c2-4a46-9497-4d9ecc70e3a1 --device_owner "network:dhcp"
Policy doesn't allow (rule:update_port and rule:update_port:device_owner) to be performed

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-11-11:

Fix Committed for 5.1.1-updates, the fix is https://review.fuel-infra.org/#/c/13129/

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2015-11-13:

Fix Committed for 6.0-updates and 6.1-updates, the corresponding CRs are:
- 6.0: https://review.fuel-infra.org/#/c/13131/2
- 6.1: https://review.fuel-infra.org/#/c/13128/1

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-19:

Verified on 5.1.1

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-11-30:

Verified on 6.0.
Packages:
neutron-common,neutron-dhcp-agent,neutron-l3-agent,neutron-metadata-agent,neutron-plugin-ml2,neutron-plugin-openvswitch-agent,neutron-server,python-neutron
Version:
1:2014.2-fuel6.0~mira28

Vitaly Sedelnik (vsedelnik) on 2015-12-08

information type:

Private Security → Public Security

Vadim Rovachev (vrovachev) on 2015-12-08

tags:

added: on-verification

Revision history for this message

Vadim Rovachev (vrovachev) wrote on 2015-12-15:

Verified on 6.1 on Ubuntu.
Packages:
neutron-common,neutron-dhcp-agent,neutron-l3-agent,neutron-metadata-agent,neutron-plugin-ml2,neutron-plugin-openvswitch-agent,neutron-server,python-neutron
Version:
2014.2.2-1~u14.04+mos36

tags:

removed: on-verification

Dmitry (dtsapikov) on 2016-01-22

tags:

added: on-automation

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.