[OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Tristan Cacqueray | ||
neutron |
Fix Released
|
Undecided
|
Tristan Cacqueray | ||
Juno |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:
watch neutron port-update <port-uuid-
Then boot the VM with the port UUID:
nova boot test --nic port-id=
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc).
CVE References
summary: |
IP, MAC, and DHCP spoofing rules can by bypassed by changing - device_owner + device_owner (CVE-2015-5240) |
information type: | Private Security → Public Security |
summary: |
- IP, MAC, and DHCP spoofing rules can by bypassed by changing - device_owner (CVE-2015-5240) + [OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by + changing device_owner (CVE-2015-5240) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | none → liberty-rc1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-rc1 → 7.0.0 |
Hi,
I have a attached a patch that fixes the problem.
It enables a regex match in the policy engine and then changes the default policy to prevent users from using the 'network:' prefix in the device_owner field unless they own the network, have the advanced services role, or are an admin.