| 2015-08-26 18:15:19 |
Kevin Benton |
bug |
|
|
added bug |
| 2015-08-26 18:18:43 |
Kevin Benton |
attachment added |
|
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452864/+files/devowner_patch.patch |
|
| 2015-08-26 18:35:11 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2015-08-26 18:35:16 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-08-26 18:35:27 |
Tristan Cacqueray |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2015-08-26 18:36:07 |
Tristan Cacqueray |
description |
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
watch neutron port-update <port-uuid-from-above> --device-owner network:hello
Then boot the VM with the port UUID:
nova boot test --nic port-id=<port-uuid-from-above> --flavor m1.tiny --image cirros-0.3.4-x86_64-uec
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc). |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
watch neutron port-update <port-uuid-from-above> --device-owner network:hello
Then boot the VM with the port UUID:
nova boot test --nic port-id=<port-uuid-from-above> --flavor m1.tiny --image cirros-0.3.4-x86_64-uec
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc). |
|
| 2015-08-26 18:48:32 |
Kevin Benton |
attachment removed |
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452864/+files/devowner_patch.patch |
|
|
| 2015-08-26 18:50:24 |
Kevin Benton |
attachment added |
|
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452884/+files/devowner_patch.patch |
|
| 2015-08-26 20:38:31 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
| 2015-08-26 20:38:43 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-08-26 21:10:59 |
Kevin Benton |
attachment added |
|
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452943/+files/devowner_patch.patch |
|
| 2015-08-26 21:11:10 |
Kevin Benton |
attachment removed |
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452884/+files/devowner_patch.patch |
|
|
| 2015-08-27 13:12:38 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
| 2015-08-27 19:25:55 |
Kevin Benton |
attachment added |
|
kilo patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4453491/+files/devowner_patch_kilo.patch |
|
| 2015-08-27 19:26:16 |
Kevin Benton |
attachment added |
|
juno patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4453492/+files/devowner_patch_juno.patch |
|
| 2015-08-27 20:01:56 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
| 2015-08-27 20:26:35 |
Tristan Cacqueray |
cve linked |
|
2015-5240 |
|
| 2015-08-27 20:26:47 |
Tristan Cacqueray |
summary |
IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner |
IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) |
|
| 2015-08-28 14:48:25 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
| 2015-09-01 20:02:16 |
Kevin Benton |
attachment removed |
kilo patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4453491/+files/devowner_patch_kilo.patch |
|
|
| 2015-09-01 20:36:16 |
Kevin Benton |
attachment removed |
devowner_patch.patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4452943/+files/devowner_patch.patch |
|
|
| 2015-09-01 20:36:30 |
Kevin Benton |
attachment removed |
juno patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4453492/+files/devowner_patch_juno.patch |
|
|
| 2015-09-01 20:42:23 |
Kevin Benton |
attachment added |
|
juno patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4455836/+files/devowner_patch_juno.patch |
|
| 2015-09-01 20:46:13 |
Kevin Benton |
attachment removed |
juno patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4455836/+files/devowner_patch_juno.patch |
|
|
| 2015-09-01 20:58:13 |
Kevin Benton |
attachment added |
|
master patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4455837/+files/devowner_patch.patch |
|
| 2015-09-01 21:00:18 |
Kevin Benton |
attachment added |
|
kilo patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4455838/+files/devowner_patch_kilo.patch |
|
| 2015-09-01 21:06:20 |
Kevin Benton |
attachment added |
|
juno patch https://bugs.launchpad.net/neutron/+bug/1489111/+attachment/4455839/+files/devowner_patch_juno.patch |
|
| 2015-09-08 14:59:53 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2015-09-08 15:00:22 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
| 2015-09-08 15:00:22 |
OpenStack Infra |
neutron: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
| 2015-09-08 15:02:38 |
Tristan Cacqueray |
summary |
IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) |
[OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) |
|
| 2015-09-08 22:40:32 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Committed |
|
| 2015-09-09 02:29:30 |
OpenStack Infra |
tags |
|
in-stable-juno |
|
| 2015-09-09 02:32:26 |
OpenStack Infra |
tags |
in-stable-juno |
in-stable-juno in-stable-kilo |
|
| 2015-09-14 14:04:09 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
| 2015-09-17 22:36:51 |
OpenStack Infra |
tags |
in-stable-juno in-stable-kilo |
in-feature-pecan in-stable-juno in-stable-kilo |
|
| 2015-09-24 07:31:04 |
Thierry Carrez |
neutron: status |
Fix Committed |
Fix Released |
|
| 2015-09-24 07:31:04 |
Thierry Carrez |
neutron: milestone |
|
liberty-rc1 |
|
| 2015-10-15 12:39:45 |
Thierry Carrez |
neutron: milestone |
liberty-rc1 |
7.0.0 |
|
| 2015-11-02 11:40:07 |
Timur Nurlygayanov |
bug |
|
|
added subscriber Kristina Kuznetsova |
| 2015-11-14 10:34:11 |
Alan Pevec |
nominated for series |
|
neutron/juno |
|
| 2015-11-14 10:34:11 |
Alan Pevec |
bug task added |
|
neutron/juno |
|
| 2015-11-14 15:07:12 |
Alan Pevec |
neutron/juno: status |
New |
Fix Committed |
|
| 2015-11-14 15:07:12 |
Alan Pevec |
neutron/juno: milestone |
|
2014.2.4 |
|
| 2015-11-19 21:45:24 |
Alan Pevec |
neutron/juno: status |
Fix Committed |
Fix Released |
|
| 2015-11-25 13:15:13 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
watch neutron port-update <port-uuid-from-above> --device-owner network:hello
Then boot the VM with the port UUID:
nova boot test --nic port-id=<port-uuid-from-above> --flavor m1.tiny --image cirros-0.3.4-x86_64-uec
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc). |
The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.
Steps to reproduce:
Create a port on the target network:
neutron port-create some_network
Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)
watch neutron port-update <port-uuid-from-above> --device-owner network:hello
Then boot the VM with the port UUID:
nova boot test --nic port-id=<port-uuid-from-above> --flavor m1.tiny --image cirros-0.3.4-x86_64-uec
This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc). |
|
