[OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
High
|
Grant Murphy | ||
neutron |
Fix Released
|
Critical
|
Aaron Rosen | ||
Havana |
Fix Released
|
Critical
|
Aaron Rosen |
Bug Description
The l3-agent does not check tenant_id and allows for tenants to be able to plug ports into other's routers if the device_id is set to another tenants router.
# become admin tenant
arosen@
# Create router as admin:
arosen@
Created a new router:
+------
| Field | Value |
+------
| admin_state_up | True |
| external_
| id | 80ffe19a-
| name | admin-router |
| status | ACTIVE |
| tenant_id | 04e94acfe69f496
+------
# Become demo tenant
arosen@
#create port with correct device_id and device_owner
arosen@
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| device_id | 80ffe19a-
| device_owner | network:
| fixed_ips | {"subnet_id": "5786a0a6-
| id | 895cf428-
| mac_address | fa:16:3e:21:33:6c |
| name | |
| network_id | 4de8b4f6-
| security_groups | |
| status | DOWN |
| tenant_id | ad069ea620614cc
+------
Now when the l3-agent is restarted or enters its periodic sync state:
arosen@
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qr-895cf428-4b Link encap:Ethernet HWaddr fa:16:3e:21:33:6c
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:300 (300.0 B) TX bytes:398 (398.0 B)
CVE References
Changed in ossa: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in ossa: | |
assignee: | nobody → Grant Murphy (gmurphy) |
Changed in ossa: | |
status: | Confirmed → Triaged |
summary: |
- Routers can be cross plugged by other tenants + Routers can be cross plugged by other tenants (CVE-2014-0056) |
Changed in ossa: | |
status: | Triaged → In Progress |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in neutron: | |
milestone: | none → icehouse-rc1 |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | icehouse-rc1 → 2014.1 |
no longer affects: | neutron/grizzly |
Note the above patch applies cleanly to stable/havana as well.