NDP proxy allows address takeover when address scope is not used
Bug #1987410 reported by
Dr. Jens Harbott
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When the new NDP proxy feature is configured without an address scope being used on the external network, there is no protection against addresses being used multiple times. This can be exploited by a malicious tenant via creating a subnet with a prefix that covers an address that is already in use and take over (part of) the traffic flowing towards that address. The success of the attack depends on winning the race of who answers the NDP query first, but still a 50% chance of capturing traffic seems dangerous. The attack works not only against other addresses served by NDP proxy, but also against other hosts that may exist, potentially even the gateway for the external network.
tags: | added: l3-ipam-dhcp |
Changed in neutron: | |
status: | New → In Progress |
description: | updated |
tags: | added: security |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.