[OSSA 2014-039] Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| OpenStack Security Advisory |
High
|
Tristan Cacqueray | ||
| neutron |
High
|
Tristan Cacqueray | ||
| Icehouse |
Undecided
|
Tristan Cacqueray | ||
| Juno |
High
|
Tristan Cacqueray |
Bug Description
The following request body will crash neutron nodes.
{"subnet": {"network_id": "2aeb163a-
"cidr": "192.168.1.3/16",
"dns_nameservers": ["1111111111111
Even strace stops logging.
CVE References
Jason Meridth (jmeridth) wrote : | #1 |
Jeremy Stanley (fungi) wrote : | #3 |
Jason, in what version(s) of Neutron was this observed? Just in the master/release candidate branches or Icehouse as well?
Jason Meridth (jmeridth) wrote : | #4 |
Jeremy, the last commit from upstream that we have is https:/
which also has the 2014.2.rc1
Jeremy Stanley (fungi) wrote : | #5 |
A bit of spelunking shows that the HOSTNAME_PATTERN expression was introduced to Quantum (now Neutron) during the Grizzly development cycle with change https:/
Looks like we probably need a stable/icehouse series task for this bug.
tags: | added: icehouse-backport-potential |
tags: | added: juno-rc-potential |
tags: |
added: juno-backport-potential removed: juno-rc-potential |
Jeremy Stanley (fungi) wrote : | #6 |
I've also subscribed Michael Xin, as he just reported an identical bug I've marked as a duplicate.
Jason Meridth (jmeridth) wrote : | #7 |
Jeremy,
Also can you add/change that the bug was discovered by Henry Yamauchi, Charles Neill and Michael Xin (our security QE team). I was just the one filling the bug and attaching patch from our Neutron developers. Hope it is possible. Thank you for any help.
Michael Xin (michael-xin) wrote : | #8 |
Jason, Thanks for your quick action.
Jeremy Stanley (fungi) wrote : | #9 |
Jason, absolutely. I'll make sure we credit "Henry Yamauchi, Charles Neill and Michael Xin from Rackspace" as the researchers responsible for its discovery on any advisory we publish for this issue. Thanks for the additional detail.
Jason Meridth (jmeridth) wrote : Re: [Bug 1378450] Re: Maliciously crafted dns_nameservers will crash neutron | #10 |
Jeremy,
Awesome. Thank you
---
Jason
On Oct 8, 2014 1:45 PM, "Jeremy Stanley" <email address hidden> wrote:
> Jason, absolutely. I'll make sure we credit "Henry Yamauchi, Charles
> Neill and Michael Xin from Rackspace" as the researchers responsible for
> its discovery on any advisory we publish for this issue. Thanks for the
> additional detail.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Maliciously crafted dns_nameservers will crash neutron
>
> Status in OpenStack Neutron (virtual network service):
> New
> Status in OpenStack Security Advisories:
> Incomplete
>
> Bug description:
> The following request body will crash neutron nodes.
>
> {"subnet": {"network_id": "2aeb163a-
> "ip_version": 4,
> "cidr": "192.168.1.3/16",
> "dns_nameservers":
> ["1111111111111
>
> Even strace stops logging.
>
> To manage notifications about this bug go to:
> https:/
>
I can confirm that this issue exists, and also that the supplied patch fixes the issue.
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
Jason Meridth (jmeridth) wrote : | #12 |
Kyle:
What is the process from here? Does someone else apply our suggested patch or do we need to create a gerrit review? Thank you guys for helping us learn this process.
Jeremy Stanley (fungi) wrote : | #13 |
Neutron core security reviewers need to review the patches attached to this bug and/or propose some new attachments. At the same time the vulnerability management team drafts an impact description, requests a CVE with that and schedules a disclosure date with sufficient time to warn downstream consumers and provide advance copies of the accepted patches. On the disclosure date the patches get pushed into Gerrit, rapidly approved and at the same time an advisory is published detailing the vulnerability. https:/
Changed in neutron: | |
status: | New → In Progress |
Here is the impact description draft #1:
Title: Neutron DoS through invalid DNS configuration
Reporter: Henry Yamauchi, Charles Neill and Michael Xin (Rackspace)
Products: Neutron
Versions: up to 2014.2
Description:
Henry Yamauchi, Charles Neill and Michael Xin from Rackspace reported a vulnerability in Neutron. By configuring a maliciously crafted dns_nameservers an authenticated user may crash Neutron service resulting in a denial of service attack. All Neutron setups are affected.
@neutron-coresec Can someone please review the proposed fix ?
Doing a run_tests.sh here on a freshly installed "Ubuntu 14.04.1 LTS" with a stable/juno devstack, it fails with:
neutron.
neutron.
neutron.
neutron.
=======
FAIL: process-returncode
process-returncode
-------
_StringException: returncode 1
=======
FAIL: process-returncode
process-returncode
-------
_StringException: returncode 1
=======
FAIL: neutron.
neutron.
-------
_StringException
=======
FAIL: neutron.
neutron.
-------
_StringException
-------
Ran 1709 tests in 512.654s
FAILED (failures=4, skipped=75)
Oups nevermind, those errors also happen without the patch...
Grant Murphy (gmurphy) wrote : | #18 |
Impact description in #14 lgtm
+1
Kyle Mestery (mestery) wrote : | #19 |
Impact description in #14 LGTM to me as well. And I confirmed the attached patches fix the issue.
@jmeridth && @mestery: Can you check if the patch is also effective on Icehouse (it applies and tests seems ok).
I am happy with the proposed patch and impact description.
I have verified the attached patch fixed the patch in Icehouse as well.
summary: |
- Maliciously crafted dns_nameservers will crash neutron + Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821) |
Thierry Carrez (ttx) wrote : Re: Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821) | #22 |
Proposed public disclosure date/time:
2014-11-19, 1500UTC
Changed in ossa: | |
status: | Confirmed → Fix Committed |
Changed in neutron: | |
status: | In Progress → Triaged |
information type: | Private Security → Public Security |
Fix proposed to branch: master
Review: https:/
Changed in neutron: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
status: | Triaged → In Progress |
Fix proposed to branch: stable/juno
Review: https:/
Fix proposed to branch: stable/icehouse
Review: https:/
summary: |
- Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821) + [OSSA 2014-039] Maliciously crafted dns_nameservers will crash neutron + (CVE-2014-7821) |
Change abandoned by Tristan Cacqueray (<email address hidden>) on branch: stable/icehouse
Review: https:/
Reason: Will resubmit with correct changeId...
Change abandoned by Tristan Cacqueray (<email address hidden>) on branch: stable/juno
Review: https:/
Reason: Will resubmit with correct changeId...
Fix proposed to branch: stable/juno
Review: https:/
Fix proposed to branch: stable/icehouse
Review: https:/
Dave Walker (davewalker) wrote : | #30 |
It would seem to me to be a good idea to include the CVE and OSSA reference in the commit message, at least for stable/*.
Thanks
Changed in neutron: | |
milestone: | none → kilo-1 |
importance: | Undecided → High |
Jeremy Stanley (fungi) wrote : | #31 |
In the past the VMT has merely relied on the closes-bug header in the commit message, but I'll engage the others on the possibility of amending this. Note however that the VMT often is not the source of stable backport uploads, so this would be a requirement the stable branch managers would need to impose on backport change authors. The VMT can document it as a recommended guideline but can't do much to enforce it directly. Also, it could have the potential to further delay landing stable branch security fixes if encumbered with too much additional process beyond that which is strictly necessary to accomplish the intended task.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 1681f62ec91b6c3
Author: John Perkins <email address hidden>
Date: Mon Oct 6 16:24:57 2014 -0500
Fix hostname regex pattern
Current hostname_pattern regex complexity grows exponentially
when given a string of just digits, which can be exploited to
cause neutron-server to freeze.
Change-Id: I886c6d883a9cb0
Closes-bug: #1378450
Changed in neutron: | |
status: | In Progress → Fix Committed |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit ad6fefcb4d4068b
Author: John Perkins <email address hidden>
Date: Mon Oct 6 16:24:57 2014 -0500
Fix hostname regex pattern
Current hostname_pattern regex complexity grows exponentially
when given a string of just digits, which can be exploited to
cause neutron-server to freeze.
Change-Id: I886c6d883a9cb0
Closes-bug: #1378450
Related fix proposed to branch: master
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit ab7ea069de5cecf
Author: John Perkins <email address hidden>
Date: Mon Oct 6 16:24:57 2014 -0500
Fix hostname regex pattern
Current hostname_pattern regex complexity grows exponentially
when given a string of just digits, which can be exploited to
cause neutron-server to freeze.
Change-Id: I886c6d883a9cb0
Closes-bug: #1378450
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 7686508a2b03e20
Author: Tristan Cacqueray <email address hidden>
Date: Thu Jan 15 20:40:22 2015 +0000
Amend OSSA-2014-039 for ERRATA1
Related-Bug: #1378450
Change-Id: I4732ac1431ba12
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 2794bb89d664355
Author: YAMAMOTO Takashi <email address hidden>
Date: Fri Nov 21 14:16:03 2014 +0900
attributes: Additional IP address validation
Introduce an additional IP address validation instead of assuming
that netaddr provides it. Namely, it ensures that an address
either has ':' (IPv6) or 3 periods like 'xx.xx.xx.xx'. (IPv4)
The "'1' * 59" test case recently introduced by
commit 1681f62ec91b6c3
some platforms because it's considered a valid address by
their inet_aton. Examples of such platforms: NetBSD, OS X
While one might argue it's a fault of the platforms, this is
a historical behavior which is probably too late to change there.
(The breakage has been hidden by later UT changes in
commit 35662d07628452d
This commit includes a UT change to uncover the problem again.)
Closes-Bug: #1394867
Related-Bug: #1378450
Change-Id: Ibe02f8b7c4d437
Related fix proposed to branch: stable/juno
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit d329c221c37714f
Author: YAMAMOTO Takashi <email address hidden>
Date: Fri Nov 21 14:16:03 2014 +0900
attributes: Additional IP address validation
Introduce an additional IP address validation instead of assuming
that netaddr provides it. Namely, it ensures that an address
either has ':' (IPv6) or 3 periods like 'xx.xx.xx.xx'. (IPv4)
The "'1' * 59" test case recently introduced by
commit 1681f62ec91b6c3
some platforms because it's considered a valid address by
their inet_aton. Examples of such platforms: NetBSD, OS X
While one might argue it's a fault of the platforms, this is
a historical behavior which is probably too late to change there.
(The breakage has been hidden by later UT changes in
commit 35662d07628452d
This commit includes a UT change to uncover the problem again.)
(cherry-picked from 2794bb89d664355
Closes-Bug: #1394867
Related-Bug: #1378450
Change-Id: Ibe02f8b7c4d437
tags: | added: in-stable-juno |
Changed in neutron: | |
milestone: | kilo-1 → 2015.1.0 |
Thanks for the report, the OSSA task is set to incomplete, pending additional details from security reviewer.