| 2014-01-29 10:15:03 |
Édouard Thuleau |
bug |
|
|
added bug |
| 2014-01-29 10:16:57 |
Édouard Thuleau |
bug |
|
|
added subscriber Mathieu Rohon |
| 2014-01-29 13:40:59 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2014-01-29 13:41:32 |
Jeremy Stanley |
neutron: status |
New |
Incomplete |
|
| 2014-01-29 13:41:37 |
Jeremy Stanley |
neutron: status |
Incomplete |
New |
|
| 2014-01-29 13:41:42 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2014-01-29 16:43:31 |
Édouard Thuleau |
description |
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks. |
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/ |
|
| 2014-01-29 16:47:14 |
Édouard Thuleau |
description |
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/ |
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/
[2] http://paste.openstack.org/show/62112/ |
|
| 2014-02-03 16:26:15 |
Édouard Thuleau |
attachment added |
|
iptables_firewall_basic_spoofing.patch https://bugs.launchpad.net/ossa/+bug/1274034/+attachment/3967734/+files/iptables_firewall_basic_spoofing.patch |
|
| 2014-02-03 16:48:14 |
Thierry Carrez |
bug |
|
|
added subscriber Mark McClain |
| 2014-02-10 13:25:44 |
Mathieu Rohon |
ossa: status |
Incomplete |
Confirmed |
|
| 2014-02-10 13:26:08 |
Mathieu Rohon |
ossa: status |
Confirmed |
Incomplete |
|
| 2014-02-10 13:55:28 |
Mathieu Rohon |
bug |
|
|
added subscriber Nachi Ueno |
| 2014-02-10 17:29:57 |
Mark McClain |
bug |
|
|
added subscriber Aaron Rosen |
| 2014-02-17 19:54:53 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2014-02-17 19:55:09 |
Jeremy Stanley |
tags |
sg-fw |
security sg-fw |
|
| 2014-02-17 19:57:07 |
Jeremy Stanley |
ossa: status |
Incomplete |
Invalid |
|
| 2014-02-21 20:50:35 |
Mark McClain |
neutron: status |
New |
Triaged |
|
| 2014-02-21 20:50:49 |
Mark McClain |
tags |
security sg-fw |
l3-ipam-dhcp security sg-fw |
|
| 2014-03-09 21:48:46 |
Cedric Brandily |
bug |
|
|
added subscriber Cedric Brandily |
| 2014-03-25 21:58:29 |
Kevin Bringard |
tags |
l3-ipam-dhcp security sg-fw |
havana-backport-potential l3-ipam-dhcp security sg-fw |
|
| 2014-03-26 18:16:31 |
Kevin Bringard |
attachment added |
|
iptables_firewall.py.patch https://bugs.launchpad.net/neutron/+bug/1274034/+attachment/4045291/+files/iptables_firewall.py.patch |
|
| 2014-03-30 18:39:32 |
Darragh O'Reilly |
bug |
|
|
added subscriber Darragh O'Reilly |
| 2014-04-08 20:06:50 |
OpenStack Infra |
neutron: status |
Triaged |
In Progress |
|
| 2014-04-08 20:06:50 |
OpenStack Infra |
neutron: assignee |
|
Kevin Bringard (kbringard) |
|
| 2014-04-11 14:28:08 |
Akihiro Motoki |
tags |
havana-backport-potential l3-ipam-dhcp security sg-fw |
havana-backport-potential icehouse-backport-potential l3-ipam-dhcp security sg-fw |
|
| 2014-06-19 20:23:11 |
Mathieu Gagné |
bug |
|
|
added subscriber Mathieu Gagné |
| 2014-07-11 16:45:49 |
Kevin Bringard |
neutron: assignee |
Kevin Bringard (kbringard) |
|
|
| 2014-08-19 02:40:25 |
Juergen Brendel |
neutron: assignee |
|
Juergen Brendel (jbrendel) |
|
| 2014-08-22 09:31:36 |
Robert Clark |
bug task added |
|
ossn |
|
| 2014-08-25 14:57:05 |
Kyle Mestery |
neutron: importance |
Undecided |
High |
|
| 2014-08-28 07:00:30 |
Matt Popow |
bug |
|
|
added subscriber Matt Popow |
| 2014-09-02 14:34:23 |
Tim Kelsey |
ossn: assignee |
|
Tim Kelsey (tim-kelsey) |
|
| 2014-09-03 15:47:10 |
Sharmin Choksey |
bug |
|
|
added subscriber Sharmin Choksey |
| 2014-09-05 10:22:45 |
Tim Kelsey |
ossn: status |
New |
In Progress |
|
| 2014-09-19 10:29:34 |
Tim Kelsey |
ossn: status |
In Progress |
Fix Committed |
|
| 2014-09-24 09:15:39 |
haruka tanizawa |
bug |
|
|
added subscriber haruka tanizawa |
| 2014-09-26 02:27:40 |
Nathan Kinder |
ossn: status |
Fix Committed |
Fix Released |
|
| 2014-10-10 04:45:03 |
Tomoko Inoue |
bug |
|
|
added subscriber Tomoko Inoue |
| 2014-11-18 08:27:31 |
Jian Wen |
bug |
|
|
added subscriber Jian Wen |
| 2014-12-01 03:25:47 |
huangyunpeng |
bug |
|
|
added subscriber huangyunpeng |
| 2014-12-16 01:04:54 |
Subrahmanyam Ongole |
bug |
|
|
added subscriber Subrahmanyam Ongole |
| 2015-01-10 00:28:56 |
George Shuklin |
bug |
|
|
added subscriber George Shuklin |
| 2015-01-15 21:36:08 |
Kyle Mestery |
neutron: milestone |
|
kilo-3 |
|
| 2015-01-16 07:16:58 |
gustavo panizzo |
bug |
|
|
added subscriber gustavo panizzo |
| 2015-01-22 10:42:31 |
Viktor Tikkanen |
bug |
|
|
added subscriber Viktor Tikkanen |
| 2015-03-04 16:14:53 |
Mike Dorman |
bug |
|
|
added subscriber Mike Dorman |
| 2015-03-19 14:13:56 |
Kyle Mestery |
neutron: milestone |
kilo-3 |
|
|
| 2015-03-31 13:59:37 |
Kyle Mestery |
neutron: milestone |
|
liberty-1 |
|
| 2015-04-06 23:21:14 |
OpenStack Infra |
neutron: assignee |
Juergen Brendel (jbrendel) |
Kevin Benton (kevinbenton) |
|
| 2015-04-07 13:58:56 |
Kyle Mestery |
neutron: milestone |
liberty-1 |
kilo-rc1 |
|
| 2015-04-08 12:06:35 |
Danny Choi |
bug |
|
|
added subscriber Danny Choi |
| 2015-04-09 01:29:15 |
Kyle Mestery |
neutron: milestone |
kilo-rc1 |
liberty-1 |
|
| 2015-04-12 20:59:56 |
Kevin Benton |
neutron: assignee |
Kevin Benton (kevinbenton) |
|
|
| 2015-04-12 21:28:04 |
Juergen Brendel |
ossa: assignee |
|
Juergen Brendel (jbrendel) |
|
| 2015-05-05 23:12:55 |
Ahmed Rahal |
bug |
|
|
added subscriber Ahmed Rahal |
| 2015-05-13 22:40:05 |
Tomoko Inoue |
tags |
havana-backport-potential icehouse-backport-potential l3-ipam-dhcp security sg-fw |
havana-backport-potential icehouse-backport-potential juno-backport-potential kilo-backport-potential l3-ipam-dhcp security sg-fw |
|
| 2015-05-14 01:06:51 |
Cedric Brandily |
tags |
havana-backport-potential icehouse-backport-potential juno-backport-potential kilo-backport-potential l3-ipam-dhcp security sg-fw |
l3-ipam-dhcp security sg-fw |
|
| 2015-05-15 17:47:16 |
Michael Still |
bug |
|
|
added subscriber Rackspace Cloud Builders Australia |
| 2015-05-18 09:04:33 |
Adam Huffman |
bug |
|
|
added subscriber Adam Huffman |
| 2015-05-21 00:45:23 |
Sam Morrison |
bug |
|
|
added subscriber Sam Morrison |
| 2015-05-27 20:31:33 |
Dustin Lundquist |
bug |
|
|
added subscriber Dustin Lundquist |
| 2015-06-04 20:01:21 |
Juergen Brendel |
ossa: assignee |
Juergen Brendel (jbrendel) |
|
|
| 2015-06-04 20:04:55 |
Henry Gessau |
neutron: assignee |
|
Mark McClain (markmcclain) |
|
| 2015-06-23 15:45:18 |
Thierry Carrez |
neutron: milestone |
liberty-1 |
liberty-2 |
|
| 2015-06-30 09:00:45 |
OpenStack Infra |
neutron: assignee |
Mark McClain (markmcclain) |
Kevin Benton (kevinbenton) |
|
| 2015-07-08 20:40:13 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Committed |
|
| 2015-07-09 20:03:00 |
OpenStack Infra |
tags |
l3-ipam-dhcp security sg-fw |
in-feature-pecan l3-ipam-dhcp security sg-fw |
|
| 2015-07-29 18:57:53 |
Doug Hellmann |
neutron: status |
Fix Committed |
Fix Released |
|
| 2015-08-04 20:19:36 |
Chet Burgess |
attachment added |
|
juno backport https://bugs.launchpad.net/neutron/+bug/1274034/+attachment/4439215/+files/0001-Add-ARP-spoofing-protection-for-LinuxBridge-agent.patch |
|
| 2015-09-20 18:28:59 |
OpenStack Infra |
tags |
in-feature-pecan l3-ipam-dhcp security sg-fw |
in-feature-pecan in-stable-juno l3-ipam-dhcp security sg-fw |
|
| 2015-09-21 18:46:46 |
OpenStack Infra |
tags |
in-feature-pecan in-stable-juno l3-ipam-dhcp security sg-fw |
in-feature-pecan in-stable-juno in-stable-kilo l3-ipam-dhcp security sg-fw |
|
| 2015-10-11 18:30:14 |
Chuck Short |
nominated for series |
|
neutron/kilo |
|
| 2015-10-11 18:30:14 |
Chuck Short |
bug task added |
|
neutron/kilo |
|
| 2015-10-11 18:30:24 |
Chuck Short |
neutron/kilo: status |
New |
Fix Committed |
|
| 2015-10-11 18:30:30 |
Chuck Short |
neutron/kilo: milestone |
|
2015.1.2 |
|
| 2015-10-13 19:23:10 |
Chuck Short |
neutron/kilo: status |
Fix Committed |
Fix Released |
|
| 2015-10-15 12:25:05 |
Thierry Carrez |
neutron: milestone |
liberty-2 |
7.0.0 |
|
| 2015-11-14 10:34:03 |
Alan Pevec |
nominated for series |
|
neutron/juno |
|
| 2015-11-14 10:34:03 |
Alan Pevec |
bug task added |
|
neutron/juno |
|
| 2015-11-14 15:07:02 |
Alan Pevec |
neutron/juno: status |
New |
Fix Committed |
|
| 2015-11-14 15:07:02 |
Alan Pevec |
neutron/juno: milestone |
|
2014.2.4 |
|
| 2015-11-19 21:45:15 |
Alan Pevec |
neutron/juno: status |
Fix Committed |
Fix Released |
|
| 2016-03-01 16:55:05 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
| 2023-06-14 13:39:50 |
Christian Rohmann |
bug |
|
|
added subscriber Christian Rohmann |
