precreated router ports can enable cross tenant plugging
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Mark McClain | ||
Icehouse |
New
|
Critical
|
Unassigned |
Bug Description
Previously we addressed the case where a tenant could attached a port to another tenant's router by knowing (or guessing) an existing router UUID [1]. The fix only prevents a tenant from attaching to existing routers, but does not defend against speculative router port creation. In systems where randomness is low, speculation of the result of uuid4() can allow a tenant to predict the ids of future routers enabling cross-tenant plugging since device_id is assumed to be trusted and queries are not scoped by tenant.
The vulnerability was closed in Juno by the work to prevent orphaned ports [2].
That fix for Icehouse cannot be back ported since it adds new models and requires a database migration. A separate fix will be proposed for Icehouse and regression tests will be proposed for Juno.
[1] https:/
[2] https:/
description: | updated |
description: | updated |
Changed in neutron: | |
milestone: | none → 2014.2 |
status: | In Progress → Fix Released |
Changed in ossa: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in ossa: | |
status: | Confirmed → Incomplete |
importance: | High → Undecided |
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
@Mark McClain So far we have not considered UUID guessing a valid attack vector as UUID is a sufficiently long and random number. Trusting UUID is an acceptable tradeoff as long as they are random.
From a vulnerability point of view, I don't think we are willing to support system with low entropy/randomness.
So the question is, what makes the described system vulnerable to UUID guessing... faulty hardware ?
Is it OpenStack code that does not work as intended and lower system randomness ?
Is it a third party system/drivers that does not provide enough entropy ?
Or is it a bad configuration/