segment parameter check failed when creating network

Bug #1840895 reported by zjf on 2019-08-21
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Undecided
Unassigned
neutron
High
Slawek Kaplonski

Bug Description

neutron net-create test --provider:network_type vlan --provider:segmentation_id 0

Execute commands like this, all vlan in ml2_vlan_allocations table is set to allocated, no vlan network can be created.

validate_provider_segment function should check whether provider:segmentation_id is 0.

zjf (zjf) on 2019-08-21
information type: Public → Public Security
information type: Public Security → Private Security
information type: Private Security → Private
information type: Private → Private Security
zjf (zjf) on 2019-08-21
information type: Private Security → Private
information type: Private → Private Security
information type: Private Security → Private
Thierry Carrez (ttx) wrote :

Changed access back to 'Private Security' at the request of the OpenStack Vulnerability Management Team

information type: Private → Private Security
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Jeremy Stanley (fungi) wrote :

Just to clarify, is the risk that a user could create a network with a segmentation_id of 0 and cause a denial of service condition in which users for other tenants would then be unable to create new VLAN networks?

Also, be aware that since this report was initially opened as a "public" type, E-mail notification with the description was already automatically sent to the hundreds of people who subscribe to Neutron bug reports, some of whom could be publicly archiving or redistributing them too, so switching it to "private" or "private security" afterward probably doesn't accomplish much. I recommend we switch it to "public security" for continued discussion, unless the risk factor for this bug is extremely high.

zjf (zjf) on 2019-08-22
information type: Private Security → Private
information type: Private → Private Security
information type: Private Security → Public Security
information type: Public Security → Private Security
zjf (zjf) wrote :

I don't know how to evaluate the risk, 'private security' maybe more reasonable.

The problem is like you clarified: 'other tenants would then be unable to create new VLAN networks.'

Slawek Kaplonski (slaweq) wrote :

Hi,

Thx for reporting this issue. Indeed it looks that with mentioned command user can automatically allocate all available vlan ids from db.
So it looks like quite serious issue. But from the other hand, provider network can be by default created only by admin user (see https://github.com/openstack/neutron/blob/master/neutron/conf/policies/network.py#L91) so I'm not sure if that is really serious security issue. Admin user should be aware of what he is doing in the cloud and such user in fact has also other potential possibilities to "break" something for users.

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Slawek Kaplonski (slaweq)
Slawek Kaplonski (slaweq) wrote :

It seems for me that this can be broken only in case when --provider:physical_network parameter isn't given and segmentation_id is set to 0.
In other cases I couldn't reproduce this issue

Slawek Kaplonski (slaweq) wrote :

Proposed fix for this issue is in attached patch.

Jeremy Stanley (fungi) wrote :

Okay, if the gist of this report is that a global administrator can make configuration choices which result in a denial of service for the services they're managing, I don't think we need to work on this in private and probably also don't need an advisory about it. Unless someone disputes that, I'll switch this report to public and mark it as a security hardening opportunity at the end of this week.

Slawek Kaplonski (slaweq) wrote :

@fungi: that works for me. When bug will be public I will send my patch to Gerrit.

zjf (zjf) wrote :

@fungi: okay.

Jeremy Stanley (fungi) wrote :

Since there's been no objection, I'm switching this bug report to public and assessing as class D (security hardening opportunity) per the OpenStack VMT's report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

information type: Private Security → Public
description: updated
Changed in ossa:
status: Incomplete → Won't Fix
tags: added: security

Fix proposed to branch: master
Review: https://review.opendev.org/679510

Changed in neutron:
status: Confirmed → In Progress

Reviewed: https://review.opendev.org/679510
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f01f3ae5dd0dd7dd9aa513a1b50e04e20a08b97b
Submitter: Zuul
Branch: master

commit f01f3ae5dd0dd7dd9aa513a1b50e04e20a08b97b
Author: Slawek Kaplonski <email address hidden>
Date: Fri Aug 30 22:32:19 2019 +0200

    Fix creation of vlan network with segmentation_id set to 0

    In case when vlan network was created with segmentation_id=0 and without
    physical_network given, it was passing validation of provider segment
    and first available segmentation_id was choosen for network.
    Problem was that in such case all available segmentation ids where
    allocated and no other vlan network could be created later.

    This patch fixes validation of segmentation_id when it is set to value 0.

    Change-Id: Ic768deb84d544db832367f9a4b84a92729eee620
    Closes-bug: #1840895

Changed in neutron:
status: In Progress → Fix Released

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

Reviewed: https://review.opendev.org/682558
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f050abab45daeb91443797b6c82a31eb06885a68
Submitter: Zuul
Branch: stable/rocky

commit f050abab45daeb91443797b6c82a31eb06885a68
Author: Slawek Kaplonski <email address hidden>
Date: Fri Aug 30 22:32:19 2019 +0200

    Fix creation of vlan network with segmentation_id set to 0

    In case when vlan network was created with segmentation_id=0 and without
    physical_network given, it was passing validation of provider segment
    and first available segmentation_id was choosen for network.
    Problem was that in such case all available segmentation ids where
    allocated and no other vlan network could be created later.

    This patch fixes validation of segmentation_id when it is set to value 0.

    Change-Id: Ic768deb84d544db832367f9a4b84a92729eee620
    Closes-bug: #1840895
    (cherry picked from commit f01f3ae5dd0dd7dd9aa513a1b50e04e20a08b97b)

tags: added: in-stable-rocky
tags: added: in-stable-queens

Reviewed: https://review.opendev.org/682559
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=17f3b75007643e8329eb93194d2e9597be3b90fb
Submitter: Zuul
Branch: stable/queens

commit 17f3b75007643e8329eb93194d2e9597be3b90fb
Author: Slawek Kaplonski <email address hidden>
Date: Fri Aug 30 22:32:19 2019 +0200

    Fix creation of vlan network with segmentation_id set to 0

    In case when vlan network was created with segmentation_id=0 and without
    physical_network given, it was passing validation of provider segment
    and first available segmentation_id was choosen for network.
    Problem was that in such case all available segmentation ids where
    allocated and no other vlan network could be created later.

    This patch fixes validation of segmentation_id when it is set to value 0.

    Change-Id: Ic768deb84d544db832367f9a4b84a92729eee620
    Closes-bug: #1840895
    (cherry picked from commit f01f3ae5dd0dd7dd9aa513a1b50e04e20a08b97b)

Reviewed: https://review.opendev.org/682557
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7156ebfc2853ceeeeb94b7a4f9046eeb256051c1
Submitter: Zuul
Branch: stable/stein

commit 7156ebfc2853ceeeeb94b7a4f9046eeb256051c1
Author: Slawek Kaplonski <email address hidden>
Date: Fri Aug 30 22:32:19 2019 +0200

    Fix creation of vlan network with segmentation_id set to 0

    In case when vlan network was created with segmentation_id=0 and without
    physical_network given, it was passing validation of provider segment
    and first available segmentation_id was choosen for network.
    Problem was that in such case all available segmentation ids where
    allocated and no other vlan network could be created later.

    This patch fixes validation of segmentation_id when it is set to value 0.

    Change-Id: Ic768deb84d544db832367f9a4b84a92729eee620
    Closes-bug: #1840895
    (cherry picked from commit f01f3ae5dd0dd7dd9aa513a1b50e04e20a08b97b)

tags: added: in-stable-stein

This issue was fixed in the openstack/neutron 14.0.3 release.

This issue was fixed in the openstack/neutron 13.0.5 release.

This issue was fixed in the openstack/neutron 12.1.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers