| 2016-08-11 14:56:51 |
Jeremy Stanley |
description |
When using the native OVS firewall driver, security rules are not generated correctly.
For example if a security rule is added to allow traffic on port 22 and protocol TCP, the port 23 is also allowed due to the incorrect generation of port ranges.
The user using OVS firewall driver is unaware of the fact that traffic on port 23 is allowed, since the security groups report that only port 22 is open.
Output for the nova security group rules:
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
Flow added in OVS on the host:
cookie=0xa1e95f1bc2f3773a, duration=3.338s, table=82, n_packets=0, n_bytes=0, idle_age=3, priority=70,ct_state=+new-est,tcp,reg5=0xa04,dl_dst=fa:16:3e:c0:1c:46,tp_dst=0x16/0xfffe
Expected output: Only traffic on port 22 was expected to be allowed.
Actual output: Traffic on port 22 and 23 is allowed.
The algorithm used here causes this issue:
https://github.com/openstack/neutron/blob/master/neutron/common/utils.py#L444-L517 |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
When using the native OVS firewall driver, security rules are not generated correctly.
For example if a security rule is added to allow traffic on port 22 and protocol TCP, the port 23 is also allowed due to the incorrect generation of port ranges.
The user using OVS firewall driver is unaware of the fact that traffic on port 23 is allowed, since the security groups report that only port 22 is open.
Output for the nova security group rules:
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
Flow added in OVS on the host:
cookie=0xa1e95f1bc2f3773a, duration=3.338s, table=82, n_packets=0, n_bytes=0, idle_age=3, priority=70,ct_state=+new-est,tcp,reg5=0xa04,dl_dst=fa:16:3e:c0:1c:46,tp_dst=0x16/0xfffe
Expected output: Only traffic on port 22 was expected to be allowed.
Actual output: Traffic on port 22 and 23 is allowed.
The algorithm used here causes this issue:
https://github.com/openstack/neutron/blob/master/neutron/common/utils.py#L444-L517 |
|
