neutron

connection on Neutron Bridge

Bug #1753757 reported by Atif
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Incomplete
Undecided
new

Bug Description

Summary (Bug title): connection on Neutron Bridging.

High level description: A bug was revealed in the default setting of OpenStack mitaka Neutron. It allows bridging of a TAP interfaces that does not have a private Ethernet interface at backend (that are used to connect to the internet) as a result, this connection would create a serious security risk by disclosing the network traffic of tenants.

Pre-conditions:- Created a project - test

Created a network, subnet, router, a VMs and VMs are attached to the network.

Step-by-step reproduction steps: CLI commands or API requests are great;

Connection with bridge Interface through which traffic of all other VMs passed.

create Mirror name=<mirror_name>
select-src-port=@br-int
set mirror @ br-int
select-src-port=@br-int
select-dst-port=@dummy0

This command as a result can disclose the privacy of the tenant VMs, by redirecting their network traffic at destination point.

Version:
  OpenStack version stable/mitaka
  Linux Distro: Seen this behavior in Ubuntu. It is independent of distro.
  ** devstack

Environment: what types of services are you running (core services like DB and AMQP broker, as well as Nova/hypervisor if it matters), and which type of deployment (clustered servers)? Multi-node or single node, etc.
Single node. Independent of Hypervisor.

Perceived severity: is this a blocker for you?
I think this must be fix in next release. As it disclose the privacy of tenant.

Revision history for this message
Atif (asaeed) wrote :
new (cloudie)
Changed in neutron:
assignee: nobody → new (cloudie)
status: New → In Progress
new (cloudie)
summary: - connection on Neutron Bridging
+ connection on Neutron Bridge
Revision history for this message
Brian Haley (brian-haley) wrote :

So is this something that requires access to the hypervisor? i.e. you need to be root on the underlying compute node? If so, tcpdump can already be used by root to capture tenant traffic. It doesn't look like it's something that can be done from inside a tenant VM, so I don't see why it is a security issue?

Changed in neutron:
status: In Progress → Incomplete
new (cloudie)
Changed in neutron:
status: Incomplete → In Progress
Revision history for this message
Brian Haley (brian-haley) wrote :

I'm moving this back to Incomplete since I still don't understand the security risk here, thanks. It will automatically transition to In Progress if/when a patch is proposed to fix it.

Changed in neutron:
status: In Progress → Incomplete
Revision history for this message
new (cloudie) wrote :

As I tested, yes this is responsible to disclose the privacy of VM by redirecting its network traffic at some destination point, irrespective who is looking at the traffic either host or some other.

Changed in neutron:
status: Incomplete → Confirmed
Revision history for this message
Brian Haley (brian-haley) wrote :

But who is redirecting the VM traffic? Is it being done by a port mirror? That isn't something a tenant can do, only someone with access to the hypervisor. If I am mis-understanding then please list the commands a tenant can run to cause this.

Changed in neutron:
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.