l3 agent metadata proxy allows access to metadata from any available network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
Brian Haley |
Bug Description
Tested with Train release, by quick code check it affects also at least Rocky, Stein and Ussuri (current master).
The security issue is than one can access metadata of an arbitrary other instance if the following conditions are met (let's call the "other instance" a "victim", it can be in any other project not normally available to the attacker):
1) Victim's port fixed IP address is known.
2) Victim's port network ID is known.
3) Attacker can use a network with access to l3 agent metadata proxy (i.e. can use routers) and deploy instances.
The scenario is as follows:
1) create a self-service network including the targeted address
2) create an instance with the same fixed IP address
3) create a router and wire it up with that network (other connections irrelevant)
4) boot up the instance (make sure to drop the potential route to dhcp agent metadata proxy if used)
5) run e.g.:
curl -H "X-Neutron-
Observed behaviour:
Normally-secret information disclosure.
Expected behaviour:
Proxy ignores (removes) that extra header and proceeds as if nothing happened (most expected)
OR proxy returns an error (and logs it / sends a notification about it)
OR proxy blocks the request and calls the police as you are a bad boy :-) (least expected... but nice)
Initial code analysis:
1) the haproxy config is inadequate:
https:/
^ this should replace all current headers in the current trust model
2) the reason this works with l3 agent (and so far not with dhcp agent unless there is some other general header exploit in the stack) are the following lines:
https:/
Changed in neutron: | |
status: | New → Confirmed |
assignee: | nobody → Brian Haley (brian-haley) |
tags: |
added: l3-dvr-backlog removed: l3-agent metadata |
description: | updated |
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
tags: | added: security |
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
So if I'm reading https:/ /www.haproxy. com/documentati on/hapee/ 1-7r1/traffic- management/ http-rewrite/ correctly, making this small change in the metadata agent driver should fix this:
s/add-header/ set-header
set-header removes first any header in existing field that matches <name>.
If others agree I could send out a patch.