neutron

[OSSA-2019-001] It's possible to add a security group rule for VRRP with a dport (CVE-2019-9735)

Bug #1818385 reported by Erik Olof Gunnar Andersson on 2019-03-03

270

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Fix Released	Critical	Jeremy Stanley
	neutron	Fix Released	Critical	Brian Haley

Bug Description

This command should be invalid, but Neutron (Rocky) allows it to be created.
> openstack security group rule create xxx --protocol vrrp --ingress --remote-ip <ip> --dst-port 112

Since iptables does not allow dst-port being passed. It would trigger the following error on the compute and fail to apply any future iptable rules.
> unknown option "--dport"

See original description

Tags:

CVE References

2019-9735

Erik Olof Gunnar Andersson (eandersson) on 2019-03-03

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-03: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/640619

Changed in neutron:
assignee:	nobody → Doug Wiegley (dougwig)
status:	New → In Progress

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-03-03: Re: It's possible to add a security group rule for VRRP with a dport

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in neutron:
status:	In Progress → Incomplete
status:	Incomplete → In Progress
Changed in ossa:
status:	New → Incomplete
information type:	Public → Public Security

Erik Olof Gunnar Andersson (eandersson) on 2019-03-03

description:	updated
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-04: Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/640685

Slawek Kaplonski (slaweq) on 2019-03-04

Changed in neutron:
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-04: Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/640702

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-04: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/640790

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-04: Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/640791

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-03-05: Re: It's possible to add a security group rule for VRRP with a dport

Just to confirm, any tenant can add such a malformed security group rule and block all future rules any other tenant tries to add for an instance on the same hypervisor host. Is this an accurate assessment? Just trying to get the details straight for triage of possible advisory and associated impact description. Thanks!

Revision history for this message

Doug Wiegley (dougwig) wrote on 2019-03-05:

A little bit worse than that, since we also use the rules for basic connectivity in some cases, so sometimes no new VMs would ever work, and the ones that do would be open. And if the hypervisor is rebooted or the neutron agent restarted, all rules would end up wiped.

Your iptables would effectively be frozen at the point of the bad rule being inserted, whatever that was.

Workarounds include the patch, or using the OVS security group driver.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2019-03-05:

Thanks for the prompt feedback Doug. I'm triaging this as class A based on above comments.

Changed in ossa:
status:	Incomplete → Confirmed
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-05: Change abandoned on neutron (stable/ocata)

#10

Change abandoned by Doug Wiegley (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/640791
Reason: Will re-spin when master merges, and check that UT failure there.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-05: Change abandoned on neutron (stable/pike)

#11

Change abandoned by Doug Wiegley (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/640790
Reason: Will re-spin when master merges, and check that UT failure there.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-08: Fix proposed to neutron (master)

#12

Fix proposed to branch: master
Review: https://review.openstack.org/642145

Changed in neutron:
assignee:	Doug Wiegley (dougwig) → Brian Haley (brian-haley)

Revision history for this message

Marcin Kosobucki (mkosobucki) wrote on 2019-03-08: Re: It's possible to add a security group rule for VRRP with a dport

#13

It may be worth, to consider syntax validation using "iptables-restore --test" before actually trying to apply changes.

OpenStack Infra (hudson-openstack) on 2019-03-09

Changed in neutron:
assignee:	Brian Haley (brian-haley) → Slawek Kaplonski (slaweq)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-10: Fix merged to neutron (master)

#14

Reviewed: https://review.openstack.org/640619
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8c213e45902e21d2fe00639ef7d92b35304bde82
Submitter: Zuul
Branch: master

commit 8c213e45902e21d2fe00639ef7d92b35304bde82
Author: Doug Wiegley <email address hidden>
Date: Sat Mar 2 22:35:52 2019 -0700

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

    Marking this a partial fix, since we need a change to prevent
    adding those incompatible rules in the first place, but this
    patch will stop the bleeding.

Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
Partial-Bug: #1818385

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-03-11: Re: It's possible to add a security group rule for VRRP with a dport

#15

Given a hotfix for this has merged on master now, I'm proposing an impact description for use in an upcoming OpenStack Security Advisory and associated CVE request. Please suggest improvements...

Title: Unsupported dport option prevents applying security groups
Reporter: Erik Olof Gunnar Andersson (Blizzard Entertainment)
Products: Neutron
Affects: <10.0.8, >=11.0.0 <11.0.7, >=12.0.0 <12.0.6, >=13.0.0 <13.0.3

Description:
Erik Olof Gunnar Andersson with Blizzard Entertainment reported a vulnerability in Neutron's iptables firewall module. By setting a destination port in a security group rule along with a protocol which doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. Only deployments using the iptables security group driver are affected.

Changed in ossa:
status:	Confirmed → Triaged
assignee:	nobody → Jeremy Stanley (fungi)
tags:	added: ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential

Revision history for this message

Doug Wiegley (dougwig) wrote on 2019-03-11:

#16

I'll update the backports today.

Changed in neutron:
assignee:	Slawek Kaplonski (slaweq) → Doug Wiegley (dougwig)

OpenStack Infra (hudson-openstack) on 2019-03-11

Changed in neutron:
assignee:	Doug Wiegley (dougwig) → Brian Haley (brian-haley)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2019-03-12:

#17

Thanks fungi, the impact description LGTM.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-12: Fix merged to neutron (stable/queens)

#18

Reviewed: https://review.openstack.org/640702
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b88ab58daf12337903f3fd8a4ab4c6add6f379cd
Submitter: Zuul
Branch: stable/queens

commit b88ab58daf12337903f3fd8a4ab4c6add6f379cd
Author: Doug Wiegley <email address hidden>
Date: Sat Mar 2 22:35:52 2019 -0700

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

    Marking this a partial fix, since we need a change to prevent
    adding those incompatible rules in the first place, but this
    patch will stop the bleeding.

    Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
    Partial-Bug: #1818385
    (cherry picked from commit 8c213e45902e21d2fe00639ef7d92b35304bde82)

tags:

added: in-stable-queens

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-03-12: Re: It's possible to add a security group rule for VRRP with a dport

#19

As no edits have been recommended for the proposed impact description, I have now used it to submit a CVE request to MITRE and will update this report with the assigned CVE identifier once issued.

Jeremy Stanley (fungi) on 2019-03-13

summary:

It's possible to add a security group rule for VRRP with a dport
+ (CVE-2019-9735)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-13: Related fix proposed to ossa (master)

#20

Related fix proposed to branch: master
Review: https://review.openstack.org/643007

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-13: Fix merged to neutron (stable/rocky)

#21

Reviewed: https://review.openstack.org/640685
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=558a977902c9e83aabaefe67333aee544aa86585
Submitter: Zuul
Branch: stable/rocky

commit 558a977902c9e83aabaefe67333aee544aa86585
Author: Doug Wiegley <email address hidden>
Date: Sat Mar 2 22:35:52 2019 -0700

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

    Marking this a partial fix, since we need a change to prevent
    adding those incompatible rules in the first place, but this
    patch will stop the bleeding.

    Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
    Partial-Bug: #1818385
    (cherry picked from commit 8c213e45902e21d2fe00639ef7d92b35304bde82)

tags:

added: in-stable-rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-13: Fix merged to neutron (stable/ocata)

#22

Reviewed: https://review.openstack.org/640791
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f6be9d7ad9522b58b293494e2e9988ce19387273
Submitter: Zuul
Branch: stable/ocata

commit f6be9d7ad9522b58b293494e2e9988ce19387273
Author: Doug Wiegley <email address hidden>
Date: Sat Mar 2 22:35:52 2019 -0700

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

    Marking this a partial fix, since we need a change to prevent
    adding those incompatible rules in the first place, but this
    patch will stop the bleeding.

    Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
    Partial-Bug: #1818385
    (cherry picked from commit 8c213e45902e21d2fe00639ef7d92b35304bde82)

tags:

added: in-stable-ocata

Bernard Cafarelli (bcafarel) on 2019-03-15

tags:

added: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-16: Fix merged to neutron (stable/pike)

#23

Reviewed: https://review.openstack.org/640790
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e53afe831abd651e318b5a56372a230ee5f49731
Submitter: Zuul
Branch: stable/pike

commit e53afe831abd651e318b5a56372a230ee5f49731
Author: Doug Wiegley <email address hidden>
Date: Sat Mar 2 22:35:52 2019 -0700

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

    Marking this a partial fix, since we need a change to prevent
    adding those incompatible rules in the first place, but this
    patch will stop the bleeding.

    Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
    Partial-Bug: #1818385
    (cherry picked from commit 8c213e45902e21d2fe00639ef7d92b35304bde82)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-18: Fix merged to neutron (master)

#24

Reviewed: https://review.openstack.org/642145
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Submitter: Zuul
Branch: master

commit 4350ed3c3556388eaa7f8623ed05b5adc86e9c16
Author: Brian Haley <email address hidden>
Date: Fri Mar 8 15:24:24 2019 -0500

Better handle ports in security groups

After taking a closer look at bug 1818385, I found a couple
of follow-on things to fix in the security group code.

    First, there are very few protocols that accept ports,
    especially via iptables. For this reason I think it's
    acceptable that the API rejects them as invalid.

    Second, UDPlite has some interesting support in iptables. It
    does not support using --dport directly, but does using
    '-m multiport --dports 123', and also supports port ranges using
    '-m multiport --dports 123:124'. Added code for this special
    case.

Change-Id: Ifb2e6bb6c7a2e2987ba95040ef5a98ed50aa36d4
Closes-Bug: #1818385

Changed in neutron:
status:	In Progress → Fix Released

Jeremy Stanley (fungi) on 2019-03-18

summary:	- It's possible to add a security group rule for VRRP with a dport - (CVE-2019-9735) + [OSSA-2019-001] It's possible to add a security group rule for VRRP with + a dport (CVE-2019-9735)
Changed in ossa:
status:	Triaged → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-18: Related fix merged to ossa (master)

#25

Reviewed: https://review.openstack.org/643007
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=a8c4ab769b94fd8d8d0e849a5541beee47f0532a
Submitter: Zuul
Branch: master

commit a8c4ab769b94fd8d8d0e849a5541beee47f0532a
Author: Tristan Cacqueray <email address hidden>
Date: Wed Mar 13 11:17:15 2019 +0000

Adds OSSA-2019-001 (CVE-2019-9735)

Change-Id: I11ec9820642d1eca14517bd39e01b5e8581cda82
Related-Bug: #1818385

Jeremy Stanley (fungi) on 2019-03-18

Changed in ossa:
status:	Fix Committed → Fix Released

Bernard Cafarelli (bcafarel) on 2019-03-18

tags:

removed: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-24: Fix included in openstack/neutron 14.0.0.0rc1

#26

This issue was fixed in the openstack/neutron 14.0.0.0rc1 release candidate.

Bernard Cafarelli (bcafarel) on 2019-06-19

tags:

added: neutron-proactive-backport-potential

Bernard Cafarelli (bcafarel) on 2019-11-28

tags:

removed: neutron-proactive-backport-potential ocata-backport-potential pike-backport-potential queens-backport-potential rocky-backport-potential

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.